diff --git a/packages/efficient_ip/LICENSE.txt b/packages/efficient_ip/LICENSE.txt
new file mode 100644
index 00000000000..809108b857f
--- /dev/null
+++ b/packages/efficient_ip/LICENSE.txt
@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
diff --git a/packages/efficient_ip/_dev/build/docs/README.md b/packages/efficient_ip/_dev/build/docs/README.md
new file mode 100644
index 00000000000..88fd0e14a91
--- /dev/null
+++ b/packages/efficient_ip/_dev/build/docs/README.md
@@ -0,0 +1,64 @@
+{{- generatedHeader }}
+{{/*
+This template can be used as a starting point for writing documentation for your new integration. For each section, fill in the details
+described in the comments.
+
+Find more detailed documentation guidelines in https://www.elastic.co/docs/extend/integrations/documentation-guidelines
+*/}}
+# EfficientIP Integration for Elastic
+
+The EfficientIP integration collects and parses data from [EfficientIP](https://efficientip.com/) DDI (DNS, DHCP, and IPAM) solutions, enabling centralized monitoring and analysis of network infrastructure events within Elastic.
+
+## Overview
+{{/* Complete this section with a short summary of what data this integration collects and what use cases it enables */}}
+The EfficientIP integration for Elastic enables collection of event logs from DNS, DHCP and IPAM. This integration enables the
+following use cases:
+- DNS query monitoring and threat detection
+- DHCP lease management and IP address tracking
+- IPAM auditing and infrastructure compliance
+- Network anomaly identification and security investigations
+
+### Compatibility
+{{/* Complete this section with information on what 3rd party software or hardware versions this integration is compatible with */}}
+This integration is tested with EfficientIP version 8.4.7e
+
+## What data does this integration collect?
+{{/* Complete this section with information on what types of data the integration collects, and link to reference documentation if available */}}
+This integration collects the following data types from EfficientIP DDI solutions:
+
+- **DNS Events**: Query logs, response codes, and DNS transactions
+- **DHCP Events**: Lease assignments, renewals, releases, and IP address allocations
+- **IPAM Events**: Address space changes, subnet modifications, and infrastructure audits
+
+All events are forwarded via syslog and processed through Elastic ingest pipelines for analysis and visualization within the Elastic Stack.
+
+
+## What do I need to use this integration?
+{{/* List any vendor-specific prerequisites needed before starting to install the integration. */}}
+Minimum requierment Elastic stack 9.0.x and EfficientIP version 8.4.7e
+
+
+## Deployment methods
+This integration supports the following deployment methods:
+
+**Syslog-based**: EfficientIP nodes forward events to a syslog destination where Elastic Agent collects and processes the data.
+
+To configure syslog forwarding on an EfficientIP node:
+
+1. Access the EfficientIP administration interface
+2. Navigate to **System Settings** > **Logging** or **Event Forwarding**
+3. Select **Syslog** as the destination type
+4. Enter the syslog receiver host IP address and port
+6. Verify the connection and enable syslog forwarding
+7. Configure Elastic Agent to listen on the syslog port and ingest the forwarded events
+
+Refer to the EfficientIP documentation for your version for detailed configuration steps specific to your deployment.
+
+### Agent-based deployment
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Inputs used
+{{/* All inputs used by this package will be automatically listed here. */}}
+{{ inputDocs }}
diff --git a/packages/efficient_ip/build/packages/efficient_ip/0.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml b/packages/efficient_ip/build/packages/efficient_ip/0.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml
new file mode 100644
index 00000000000..e42a7345901
--- /dev/null
+++ b/packages/efficient_ip/build/packages/efficient_ip/0.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml
@@ -0,0 +1,339 @@
+---
+description: Pipeline for parsing EfficientIP DHCP logs.
+processors:
+  - set:
+      field: network.protocol
+      value: dhcp
+  - grok:
+      tag: grok_DHCPDISCOVER_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPDISCOVER')
+      patterns:
+        - '^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: network %{DATA:efficient_ip.log.dhcp.network}: %{GREEDYDATA:efficient_ip.log.dhcp.discover.message}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPOFFER_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPOFFER')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:efficient_ip.log.dhcp.offered.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:efficient_ip.log.dhcp.offered.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:efficient_ip.log.dhcp.offered.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:efficient_ip.log.dhcp.lease.duration:long}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPREQUEST_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPREQUEST')
+      patterns:
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid}: %{GREEDYDATA:efficient_ip.log.dhcp.request.message}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.request.message}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.request.message}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name})$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPACK_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPACK')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{DATA:efficient_ip.log.dhcp.lease.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} (?:\(%{DATA:efficient_ip.log.dhcp.client_hostname}\) )?via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\)$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{DATA:efficient_ip.log.dhcp.lease.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{DATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:efficient_ip.log.dhcp.lease.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:efficient_ip.log.dhcp.lease.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} (?:\(%{DATA:efficient_ip.log.dhcp.client_hostname}\) )?via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_RELEASE_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('RELEASE')
+      patterns:
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) \(%{DATA:efficient_ip.log.dhcp.release.info}\) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) \(%{DATA:efficient_ip.log.dhcp.release.info}\) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPEXPIRE_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPEXPIRE')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{GREEDYDATA:client.mac}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPINFORM_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPINFORM')
+      patterns:
+        - '^%{WORD:event.action} from %{IP:client.ip} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.inform.message}$'
+        - '^%{WORD:event.action} from %{IP:client.ip} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPDECLINE_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPDECLINE')
+      patterns:
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.decline.message}$'
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}): %{GREEDYDATA:efficient_ip.log.dhcp.decline.message}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPNAK_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPNAK')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name})$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPLEASEQUERY_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPLEASEQUERY')
+      patterns:
+        - '^%{WORD:event.action} from %{IP:client.ip}: %{GREEDYDATA:efficient_ip.log.dhcp.lease_query.message}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_REFUSED_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('REFUSED')
+      patterns:
+        - '^%{REVERSE_UPDATE:event.action} for %{IP:client.ip} abandoned because of non-retryable failure: %{DATA:event.outcome}$'
+        - '^Unable to %{ADD_FORWARD:event.action} from %{DATA:efficient_ip.log.dhcp.forward_name} to %{IP:efficient_ip.log.dhcp.ip} by server %{IP:server.ip}#%{NUMBER:server.port:long}: %{DATA:event.outcome}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+      pattern_definitions:
+        ADD_FORWARD: (?i:add forward map)
+        REVERSE_UPDATE: (?i:reverse map update)
+  - gsub:
+      field: event.action
+      pattern: ' '
+      replacement: '_'
+      if: ctx.event?.outcome?.equalsIgnoreCase('refused') == true
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx.event?.outcome?.equalsIgnoreCase('refused') == true
+  - grok:
+      tag: grok_Encapsulated_Solicit_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Encapsulated Solicit')
+      patterns:
+        - '^%{DATA:event.action} message from %{IP:client.ip} port %{NUMBER:client.port:long} from client DUID %{GREEDYDATA:efficient_ip.log.dhcp.duid}, transaction ID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Advertise_NA_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Advertise NA')
+      patterns:
+        - '^%{DATA:event.action}: address %{IP:client.ip} to client with duid %{GREEDYDATA:efficient_ip.log.dhcp.duid} iaid = -%{GREEDYDATA:efficient_ip.log.dhcp.iaid} valid for %{NUMBER:efficient_ip.log.dhcp.validation_second:long} seconds$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Relay_forward_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Relay-forward')
+      patterns:
+        - '^%{DATA:event.action} message from %{IP:client.ip} port %{NUMBER:client.port:long}, link address %{IP:efficient_ip.log.dhcp.link_address}, peer address %{IP:efficient_ip.log.dhcp.peer_address}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Encapsulating_Advertise_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Encapsulating Advertise')
+      patterns:
+        - '^%{DATA:event.action} message to send to %{IP:client.ip} port %{NUMBER:client.port:long}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Sending_Relay_reply_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Sending Relay-reply')
+      patterns:
+        - '^%{DATA:event.action} message to %{IP:client.ip} port %{NUMBER:client.port:long}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_fallback_message
+      field: message
+      if: ctx.message != null && ctx.event?.action == null
+      patterns:
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - lowercase:
+      field: event.action
+      ignore_failure: true
+      ignore_missing: true
+  - gsub:
+      field: client.mac
+      ignore_missing: true
+      pattern: '[-:.]'
+      replacement: '-'
+  - uppercase:
+      field: client.mac
+      ignore_missing: true
+  - convert:
+      tag: convert_client_ip
+      field: client.ip
+      if: ctx.client?.ip != null && ctx.client.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: client.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{client.ip}}}'
+      if: ctx.client?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_link_address
+      field: efficient_ip.log.dhcp.link_address
+      if: ctx.efficient_ip?.log?.dhcp?.link_address != null && ctx.efficient_ip.log.dhcp.link_address != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.link_address
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.link_address}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.link_address != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_peer_address
+      field: efficient_ip.log.dhcp.peer_address
+      if: ctx.efficient_ip?.log?.dhcp?.peer_address != null && ctx.efficient_ip.log.dhcp.peer_address != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.peer_address
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.peer_address}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.peer_address != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_router_ip
+      field: efficient_ip.log.dhcp.router.ip
+      if: ctx.efficient_ip?.log?.dhcp?.router?.ip != null && ctx.efficient_ip.log.dhcp.router.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.router.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.router.ip}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.router?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_interface_ip
+      field: efficient_ip.log.dhcp.interface.ip
+      if: ctx.efficient_ip?.log?.dhcp?.interface?.ip != null && ctx.efficient_ip.log.dhcp.interface.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.interface.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.interface.ip}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.interface?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_relay_interface_ip
+      field: efficient_ip.log.dhcp.relay.interface.ip
+      if: ctx.efficient_ip?.log?.dhcp?.relay?.interface?.ip != null && ctx.efficient_ip.log.dhcp.relay.interface.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.relay.interface.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.relay.interface.ip}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.relay?.interface?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: '{{{efficient_ip.log.dhcp.client_hostname}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.client_hostname != null
+      allow_duplicates: false
+      ignore_failure: true
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: >-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+        failed with message '{{{ _ingest.on_failure_message }}}'
\ No newline at end of file
diff --git a/packages/efficient_ip/changelog.yml b/packages/efficient_ip/changelog.yml
new file mode 100644
index 00000000000..983ff10eb05
--- /dev/null
+++ b/packages/efficient_ip/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/18505
diff --git a/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dhcp.log b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dhcp.log
new file mode 100644
index 00000000000..3774a7dda66
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dhcp.log
@@ -0,0 +1,695 @@
+<27>Apr 17 13:07:38 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1: peer holds all free leases
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.2 from aa:bb:cc:00:00:02 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.2 to aa:bb:cc:00:00:02 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.4 from aa:bb:cc:00:00:03 (device-0002) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.4 to aa:bb:cc:00:00:03 (device-0002) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.5 from aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.5 to aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPINFORM from 10.1.0.7 via 10.1.0.8
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK to 10.1.0.7 (device-0004) via lagg1
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.9 from aa:bb:cc:00:00:06 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.9 to aa:bb:cc:00:00:06 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.10 from aa:bb:cc:00:00:07 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.10 to aa:bb:cc:00:00:07 (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11: peer holds all free leases
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.12 from aa:bb:cc:00:00:09 (device-0005) via 10.1.0.13
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.12 to aa:bb:cc:00:00:09 (device-0005) via 10.1.0.13 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.14 from aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.14 to aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0b via 172.16.0.16
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0c via 172.16.0.17
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPOFFER on 172.16.0.18 to aa:bb:cc:00:00:0c (device-0006) via 172.16.0.17 [3600]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.19 from aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.19 to aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13 [28800]
+<27>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20: peer holds all free leases
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.21 from aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.21 to aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.23 from aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.23 to aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.25 from aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.25 to aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.27 from aa:bb:cc:00:00:12 via 10.1.0.28
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.27 to aa:bb:cc:00:00:12 (device-0009) via 10.1.0.28 [86400]
+<27>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:13 via 10.1.0.29: peer holds all free leases
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.30 from aa:bb:cc:00:00:14 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.30 to aa:bb:cc:00:00:14 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.31 from aa:bb:cc:00:00:15 (device-0010) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.31 to aa:bb:cc:00:00:15 (device-0010) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPINFORM from 10.1.0.32 via 10.1.0.33
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK to 10.1.0.32 (device-0011) via lagg1
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.34 from aa:bb:cc:00:00:17 (device-0012) via 10.1.0.3
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.34 to aa:bb:cc:00:00:17 (device-0012) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.35 from aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.35 to aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.37 from aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.37 to aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38 [86400]
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.39 from aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.39 to aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.41 from aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.41 to aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13 [28800]
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42: peer holds all free leases
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.43 from aa:bb:cc:00:00:1e (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.43 to aa:bb:cc:00:00:1e (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44: peer holds all free leases
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:20 via 10.1.0.45: peer holds all free leases
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPOFFER on 10.1.0.47 to aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.48 from aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.48 to aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.47 (device-0015) from aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.47 to aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.51 from aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.51 to aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.53 from aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.53 to aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.54 from aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.54 to aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.56 from aa:bb:cc:00:00:27 (device-0016) via 172.16.0.57
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.56 to aa:bb:cc:00:00:27 (device-0016) via 172.16.0.57 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.56 from aa:bb:cc:00:00:27 (device-0016) via 172.16.0.58
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.56 to aa:bb:cc:00:00:27 (device-0016) via 172.16.0.58 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: bind update on 172.16.0.56 got ack from dhcp-server.example.net: xid mismatch.
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPOFFER on 172.16.0.59 to aa:bb:cc:00:00:0b (device-0017) via 172.16.0.16 [3599]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.60 from aa:bb:cc:00:00:28 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.60 to aa:bb:cc:00:00:28 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.61 from aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.61 to aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.63 from aa:bb:cc:00:00:2a (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.63 to aa:bb:cc:00:00:2a (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.64 from aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.64 to aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.65 from aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.65 to aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.66 from aa:bb:cc:00:00:2d (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.66 to aa:bb:cc:00:00:2d (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.67 from aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.67 to aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.69 from aa:bb:cc:00:00:2f (device-0018) via 172.16.0.57
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.69 to aa:bb:cc:00:00:2f (device-0018) via 172.16.0.57 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.69 from aa:bb:cc:00:00:2f (device-0018) via 172.16.0.58
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.69 to aa:bb:cc:00:00:2f (device-0018) via 172.16.0.58 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: bind update on 172.16.0.69 got ack from dhcp-server.example.net: xid mismatch.
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70: peer holds all free leases
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:31 via 10.1.0.71: peer holds all free leases
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.72 from aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.72 to aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.73 from aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.73 to aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.74 from aa:bb:cc:00:00:34 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.74 to aa:bb:cc:00:00:34 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.75 from aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.75 to aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.77 from aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.77 to aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24 [86400]
+<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:37 via 10.1.0.78: peer holds all free leases
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.79 from aa:bb:cc:00:00:38 (device-0020) via 10.1.0.80
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.79 to aa:bb:cc:00:00:38 (device-0020) via 10.1.0.80 [86400]
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.81 from aa:bb:cc:00:00:39 (device-0021) via 172.16.0.82
+<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.81 to aa:bb:cc:00:00:39 (device-0021) via 172.16.0.82 [73206]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.83 from aa:bb:cc:00:00:3a (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.83 to aa:bb:cc:00:00:3a (device-0003) via 172.16.0.24 [86400]
+<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84: peer holds all free leases
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.85 from aa:bb:cc:00:00:3c (device-0003) via 172.16.0.86
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.85 to aa:bb:cc:00:00:3c (device-0003) via 172.16.0.86 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.87 from aa:bb:cc:00:00:3d (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.87 to aa:bb:cc:00:00:3d (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 10.1.0.88 via 10.1.0.89
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 10.1.0.88 (device-0022) via lagg1
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.90 from aa:bb:cc:00:00:3f (device-0003) via 172.16.0.55
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.90 to aa:bb:cc:00:00:3f (device-0003) via 172.16.0.55 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 10.1.0.27 via 10.1.0.28
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 10.1.0.27 (device-0023) via lagg1
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.91 from aa:bb:cc:00:00:40 (device-0003) via 172.16.0.38
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.91 to aa:bb:cc:00:00:40 (device-0003) via 172.16.0.38 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.92 from aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.92 to aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.94 from aa:bb:cc:00:00:42 (device-0003) via 172.16.0.49
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.94 to aa:bb:cc:00:00:42 (device-0003) via 172.16.0.49 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.95 from aa:bb:cc:00:00:43 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.95 to aa:bb:cc:00:00:43 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0b via 172.16.0.16
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPOFFER on 172.16.0.59 to aa:bb:cc:00:00:0b (device-0017) via 172.16.0.16 [3600]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.96 from aa:bb:cc:00:00:44 (device-0025) via 172.16.0.97
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.96 to aa:bb:cc:00:00:44 (device-0025) via 172.16.0.97 [28800]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.98 from aa:bb:cc:00:00:45 (device-0003) via 172.16.0.99
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.98 to aa:bb:cc:00:00:45 (device-0003) via 172.16.0.99 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.100 from aa:bb:cc:00:00:46 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.100 to aa:bb:cc:00:00:46 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.101 from aa:bb:cc:00:00:47 (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.101 to aa:bb:cc:00:00:47 (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.102 from aa:bb:cc:00:00:48 (device-0003) via 172.16.0.55
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.102 to aa:bb:cc:00:00:48 (device-0003) via 172.16.0.55 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 172.16.0.103 via 172.16.0.104
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 172.16.0.103 (device-0026) via lagg1
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.105 from aa:bb:cc:00:00:4a (device-0003) via 172.16.0.106
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.105 to aa:bb:cc:00:00:4a (device-0003) via 172.16.0.106 [86400]
+<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107: peer holds all free leases
+<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:13 via 10.1.0.29: peer holds all free leases
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.108 from aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.108 to aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.110 from aa:bb:cc:00:00:4d (device-0003) via 172.16.0.55
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.110 to aa:bb:cc:00:00:4d (device-0003) via 172.16.0.55 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.111 from aa:bb:cc:00:00:4e (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.111 to aa:bb:cc:00:00:4e (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.112 from aa:bb:cc:00:00:4f (device-0003) via 172.16.0.113
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.112 to aa:bb:cc:00:00:4f (device-0003) via 172.16.0.113 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 10.1.0.114 via 10.1.0.89
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 10.1.0.114 (device-0028) via lagg1
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.115 from aa:bb:cc:00:00:51 (device-0003) via 172.16.0.116
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.115 to aa:bb:cc:00:00:51 (device-0003) via 172.16.0.116 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.117 from aa:bb:cc:00:00:52 (device-0003) via 172.16.0.62
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.117 to aa:bb:cc:00:00:52 (device-0003) via 172.16.0.62 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.118 from aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.118 to aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119 [86400]
+<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:54 via 172.16.0.120: peer holds all free leases
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.121 from aa:bb:cc:00:00:55 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.121 to aa:bb:cc:00:00:55 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.122 from aa:bb:cc:00:00:56 (device-0003) via 172.16.0.62
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.122 to aa:bb:cc:00:00:56 (device-0003) via 172.16.0.62 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.123 from aa:bb:cc:00:00:57 (device-0003) via 172.16.0.124
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.123 to aa:bb:cc:00:00:57 (device-0003) via 172.16.0.124 [86400]
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.125 from aa:bb:cc:00:00:58 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.125 to aa:bb:cc:00:00:58 (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1: peer holds all free leases
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.126 from aa:bb:cc:00:00:59 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.126 to aa:bb:cc:00:00:59 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.127 from aa:bb:cc:00:00:5a (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.127 to aa:bb:cc:00:00:5a (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:5b via 172.16.0.124
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.128 from aa:bb:cc:00:00:5c via 10.1.0.129
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.128 to aa:bb:cc:00:00:5c via 10.1.0.129 [28800]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.130 from aa:bb:cc:00:00:5d (device-0030) via 172.16.0.131
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.130 to aa:bb:cc:00:00:5d (device-0030) via 172.16.0.131 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.72 from aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.72 to aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.132 from aa:bb:cc:00:00:5e (device-0031) via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.132 to aa:bb:cc:00:00:5e (device-0031) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.133 from aa:bb:cc:00:00:5f (device-0003) via 172.16.0.15
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.133 to aa:bb:cc:00:00:5f (device-0003) via 172.16.0.15 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.134 from aa:bb:cc:00:00:60 (device-0003) via 172.16.0.135
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.134 to aa:bb:cc:00:00:60 (device-0003) via 172.16.0.135 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.136 (device-0015) from aa:bb:cc:00:00:61 via 172.16.0.137: unknown lease 172.16.0.136.
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.138 from aa:bb:cc:00:00:62 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.138 to aa:bb:cc:00:00:62 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.139 from aa:bb:cc:00:00:63 (device-0032) via 10.1.0.140
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.139 to aa:bb:cc:00:00:63 (device-0032) via 10.1.0.140 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.141 from aa:bb:cc:00:00:64 (device-0003) via 172.16.0.15
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.141 to aa:bb:cc:00:00:64 (device-0003) via 172.16.0.15 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.142 from aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.142 to aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:66 via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.144 from aa:bb:cc:00:00:67 (device-0003) via 172.16.0.145
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.144 to aa:bb:cc:00:00:67 (device-0003) via 172.16.0.145 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.146 from aa:bb:cc:00:00:68 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.146 to aa:bb:cc:00:00:68 (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.147 from aa:bb:cc:00:00:69 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.147 to aa:bb:cc:00:00:69 (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20: peer holds all free leases
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.148 from aa:bb:cc:00:00:6a (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.148 to aa:bb:cc:00:00:6a (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.149 from aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.149 to aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.151 from aa:bb:cc:00:00:6c (device-0003) via 172.16.0.152
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.151 to aa:bb:cc:00:00:6c (device-0003) via 172.16.0.152 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.153 from aa:bb:cc:00:00:6d (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.153 to aa:bb:cc:00:00:6d (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42: peer holds all free leases
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.154 from aa:bb:cc:00:00:6e (device-0003) via 172.16.0.155
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.154 to aa:bb:cc:00:00:6e (device-0003) via 172.16.0.155 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.156 from aa:bb:cc:00:00:6f (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.156 to aa:bb:cc:00:00:6f (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.157 from aa:bb:cc:00:00:70 (device-0003) via 172.16.0.135
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.157 to aa:bb:cc:00:00:70 (device-0003) via 172.16.0.135 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.158 from aa:bb:cc:00:00:71 (device-0003) via 172.16.0.152
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.158 to aa:bb:cc:00:00:71 (device-0003) via 172.16.0.152 [86400]
+<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:20 via 10.1.0.45: peer holds all free leases
+<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11: peer holds all free leases
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.159 from aa:bb:cc:00:00:72 (device-0003) via 172.16.0.160
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.159 to aa:bb:cc:00:00:72 (device-0003) via 172.16.0.160 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.161 from aa:bb:cc:00:00:73 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.161 to aa:bb:cc:00:00:73 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.162 from aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.162 to aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44: peer holds all free leases
+<27>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases
+<27>Apr 17 13:07:43 dhcpd[46177]: sqlite3 [database is locked] 1253, will retry in 1s
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.163 from aa:bb:cc:00:00:76 (device-0003) via 172.16.0.164
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.163 to aa:bb:cc:00:00:76 (device-0003) via 172.16.0.164 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.165 from aa:bb:cc:00:00:77 (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.165 to aa:bb:cc:00:00:77 (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.166 from aa:bb:cc:00:00:78 (device-0003) via 172.16.0.6
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.166 to aa:bb:cc:00:00:78 (device-0003) via 172.16.0.6 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.167 from aa:bb:cc:00:00:79 (device-0016) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.167 to aa:bb:cc:00:00:79 (device-0016) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.168 from aa:bb:cc:00:00:7a (device-0003) via 172.16.0.99
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.168 to aa:bb:cc:00:00:7a (device-0003) via 172.16.0.99 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.169 from aa:bb:cc:00:00:7b (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.169 to aa:bb:cc:00:00:7b (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPOFFER on 172.16.0.170 to aa:bb:cc:00:00:5b (device-0035) via 172.16.0.124 [3599]
+<27>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44: peer holds all free leases
+<27>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.171 from aa:bb:cc:00:00:7c (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.171 to aa:bb:cc:00:00:7c (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:7d via 172.16.0.172
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.173 from aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.173 to aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.174 from aa:bb:cc:00:00:7f (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.174 to aa:bb:cc:00:00:7f (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.175 from aa:bb:cc:00:00:80 (device-0003) via 172.16.0.176
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.175 to aa:bb:cc:00:00:80 (device-0003) via 172.16.0.176 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.177 from aa:bb:cc:00:00:81 (device-0003) via 172.16.0.86
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.177 to aa:bb:cc:00:00:81 (device-0003) via 172.16.0.86 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.178 from aa:bb:cc:00:00:82 (device-0036) via 10.1.0.179
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.178 to aa:bb:cc:00:00:82 (device-0036) via 10.1.0.179 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.180 from aa:bb:cc:00:00:83 (device-0003) via 172.16.0.181
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.180 to aa:bb:cc:00:00:83 (device-0003) via 172.16.0.181 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.182 from aa:bb:cc:00:00:84 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.182 to aa:bb:cc:00:00:84 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.183 from aa:bb:cc:00:00:85 (device-0003) via 172.16.0.184
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.183 to aa:bb:cc:00:00:85 (device-0003) via 172.16.0.184 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.185 from aa:bb:cc:00:00:86 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.185 to aa:bb:cc:00:00:86 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.186 from aa:bb:cc:00:00:87 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.186 to aa:bb:cc:00:00:87 (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPOFFER on 10.1.0.187 to aa:bb:cc:00:00:66 (device-0037) via 10.1.0.3 [3599]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.188 from aa:bb:cc:00:00:88 (device-0003) via 172.16.0.176
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.188 to aa:bb:cc:00:00:88 (device-0003) via 172.16.0.176 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.187 (device-0015) from aa:bb:cc:00:00:66 via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.187 to aa:bb:cc:00:00:66 (device-0037) via 10.1.0.3 [3600]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.189 from aa:bb:cc:00:00:89 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.189 to aa:bb:cc:00:00:89 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.190 from aa:bb:cc:00:00:8a (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.190 to aa:bb:cc:00:00:8a (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.191 from aa:bb:cc:00:00:8b (device-0003) via 172.16.0.192
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.191 to aa:bb:cc:00:00:8b (device-0003) via 172.16.0.192 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.193 from aa:bb:cc:00:00:8c (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.193 to aa:bb:cc:00:00:8c (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.194 from aa:bb:cc:00:00:8d (device-0003) via 172.16.0.176
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.194 to aa:bb:cc:00:00:8d (device-0003) via 172.16.0.176 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.195 from aa:bb:cc:00:00:8e (device-0003) via 172.16.0.196
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.195 to aa:bb:cc:00:00:8e (device-0003) via 172.16.0.196 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.197 from aa:bb:cc:00:00:8f (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.197 to aa:bb:cc:00:00:8f (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.198 from aa:bb:cc:00:00:90 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.198 to aa:bb:cc:00:00:90 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:91 via 172.16.0.199
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:92 via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.200 from aa:bb:cc:00:00:93 (device-0003) via 172.16.0.201
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.200 to aa:bb:cc:00:00:93 (device-0003) via 172.16.0.201 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.202 from aa:bb:cc:00:00:94 via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.202 to aa:bb:cc:00:00:94 via 10.1.0.3 [28800]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.203 from aa:bb:cc:00:00:95 (device-0003) via 172.16.0.204
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.203 to aa:bb:cc:00:00:95 (device-0003) via 172.16.0.204 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.205 from aa:bb:cc:00:00:96 (device-0003) via 172.16.0.49
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.205 to aa:bb:cc:00:00:96 (device-0003) via 172.16.0.49 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.206 from aa:bb:cc:00:00:97 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.206 to aa:bb:cc:00:00:97 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.207 from aa:bb:cc:00:00:98 (device-0003) via 172.16.0.152
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.207 to aa:bb:cc:00:00:98 (device-0003) via 172.16.0.152 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.142 from aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.142 to aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143 [86400]
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.208 from aa:bb:cc:00:00:99 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.208 to aa:bb:cc:00:00:99 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.209 from aa:bb:cc:00:00:9a (device-0038) via 10.1.0.119
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.209 to aa:bb:cc:00:00:9a (device-0038) via 10.1.0.119 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.210 from aa:bb:cc:00:00:9b (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.210 to aa:bb:cc:00:00:9b (device-0003) via 172.16.0.40 [86400]
+<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211: peer holds all free leases
+<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84: peer holds all free leases
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9d (device-0039) via 172.16.0.212
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.213 to aa:bb:cc:00:00:9d (device-0039) via 172.16.0.212 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.214 from aa:bb:cc:00:00:9e (device-0003) via 172.16.0.15
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.214 to aa:bb:cc:00:00:9e (device-0003) via 172.16.0.15 [86400]
+<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215: peer holds all free leases
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.216 (device-0040) from aa:bb:cc:00:00:a0 (device-0041) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.216 to aa:bb:cc:00:00:a0 (device-0041) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:5b via 172.16.0.124
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.170 to aa:bb:cc:00:00:5b (device-0035) via 172.16.0.124 [3600]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.218 from aa:bb:cc:00:00:a1 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.218 to aa:bb:cc:00:00:a1 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.162 from aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.162 to aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.219 to aa:bb:cc:00:00:7d (device-0042) via 172.16.0.172 [3599]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.220 from aa:bb:cc:00:00:a2 (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.220 to aa:bb:cc:00:00:a2 (device-0003) via 172.16.0.22 [86400]
+<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:a3 via 172.16.0.221: peer holds all free leases
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.222 from aa:bb:cc:00:00:a4 (device-0003) via 172.16.0.55
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.222 to aa:bb:cc:00:00:a4 (device-0003) via 172.16.0.55 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.223 from aa:bb:cc:00:00:a5 (device-0043) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.223 to aa:bb:cc:00:00:a5 (device-0043) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.224 from aa:bb:cc:00:00:a6 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.224 to aa:bb:cc:00:00:a6 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.225 from aa:bb:cc:00:00:a7 (device-0003) via 172.16.0.226
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.225 to aa:bb:cc:00:00:a7 (device-0003) via 172.16.0.226 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.173 from aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.173 to aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.228 to aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.228 (device-0015) from aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.228 to aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.229 from aa:bb:cc:00:00:a9 (device-0045) via 10.1.0.230
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.229 to aa:bb:cc:00:00:a9 (device-0045) via 10.1.0.230 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.231 from aa:bb:cc:00:00:aa (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.231 to aa:bb:cc:00:00:aa (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.232 to aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.232 (device-0015) from aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.232 to aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.233 from aa:bb:cc:00:00:ac (device-0003) via 172.16.0.234
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.233 to aa:bb:cc:00:00:ac (device-0003) via 172.16.0.234 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:ad (device-0047) via 10.1.0.235
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.236 to aa:bb:cc:00:00:ad (device-0048) via 10.1.0.235 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.236 (device-0040) from aa:bb:cc:00:00:ad (device-0048) via 10.1.0.235
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.236 to aa:bb:cc:00:00:ad (device-0048) via 10.1.0.235 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.237 from aa:bb:cc:00:00:ae (device-0003) via 172.16.0.184
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.237 to aa:bb:cc:00:00:ae (device-0003) via 172.16.0.184 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.238 from aa:bb:cc:00:00:af (device-0049) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.238 to aa:bb:cc:00:00:af (device-0049) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.239 to aa:bb:cc:00:00:91 (device-0050) via 172.16.0.199 [3599]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.240 to aa:bb:cc:00:00:92 (device-0001) via 10.1.0.3 [3599]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.241 from aa:bb:cc:00:00:b0 (device-0003) via 172.16.0.124
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.241 to aa:bb:cc:00:00:b0 (device-0003) via 172.16.0.124 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.242 from aa:bb:cc:00:00:b1 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.242 to aa:bb:cc:00:00:b1 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.243 from aa:bb:cc:00:00:b2 (device-0051) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.243 to aa:bb:cc:00:00:b2 (device-0051) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.244 from aa:bb:cc:00:00:b3 (device-0003) via 172.16.0.116
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.244 to aa:bb:cc:00:00:b3 (device-0003) via 172.16.0.116 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.245 from aa:bb:cc:00:00:b4 (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.245 to aa:bb:cc:00:00:b4 (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.246 from aa:bb:cc:00:00:b5 (device-0003) via 172.16.0.247
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.246 to aa:bb:cc:00:00:b5 (device-0003) via 172.16.0.247 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.248 from aa:bb:cc:00:00:b6 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.248 to aa:bb:cc:00:00:b6 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.249 to aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.250 from aa:bb:cc:00:00:b8 (device-0003) via 172.16.0.135
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.250 to aa:bb:cc:00:00:b8 (device-0003) via 172.16.0.135 [86400]
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.251 from aa:bb:cc:00:00:b9 (device-0052) via 172.16.0.252
+<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.251 to aa:bb:cc:00:00:b9 (device-0052) via 172.16.0.252 [64900]
+<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1: peer holds all free leases
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.253 from aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.253 to aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.0.254 from aa:bb:cc:00:00:bb (device-0003) via 172.16.0.99
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.0.254 to aa:bb:cc:00:00:bb (device-0003) via 172.16.0.99 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.0.255 from aa:bb:cc:00:00:bc (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.0.255 to aa:bb:cc:00:00:bc (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.0 from aa:bb:cc:00:00:bd (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.0 to aa:bb:cc:00:00:bd (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.1 from aa:bb:cc:00:00:be (device-0053) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.1 to aa:bb:cc:00:00:be (device-0053) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.2 from aa:bb:cc:00:00:bf (device-0003) via 172.16.0.36
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.2 to aa:bb:cc:00:00:bf (device-0003) via 172.16.0.36 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.3 from aa:bb:cc:00:00:c0 (device-0003) via 172.16.0.164
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.3 to aa:bb:cc:00:00:c0 (device-0003) via 172.16.0.164 [86400]
+<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11: peer holds all free leases
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.4 from aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.57
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.4 to aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.57 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.4 from aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.58
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.4 to aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.58 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: bind update on 172.16.1.4 got ack from dhcp-server.example.net: xid mismatch.
+<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107: peer holds all free leases
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.5 from aa:bb:cc:00:00:c2 (device-0003) via 172.16.0.36
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.5 to aa:bb:cc:00:00:c2 (device-0003) via 172.16.0.36 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.41 from aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.41 to aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.6 from aa:bb:cc:00:00:c3 (device-0054) via 10.1.0.45
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.6 to aa:bb:cc:00:00:c3 (device-0054) via 10.1.0.45 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.7 from aa:bb:cc:00:00:c4 (device-0003) via 172.16.0.184
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.7 to aa:bb:cc:00:00:c4 (device-0003) via 172.16.0.184 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.8 from aa:bb:cc:00:00:c5 (device-0055) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.8 to aa:bb:cc:00:00:c5 (device-0055) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.9 from aa:bb:cc:00:00:c6 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.9 to aa:bb:cc:00:00:c6 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.10 from aa:bb:cc:00:00:c7 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.10 to aa:bb:cc:00:00:c7 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.72 from aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.72 to aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20: peer holds all free leases
+<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:91 via 172.16.0.199
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPOFFER on 172.16.0.239 to aa:bb:cc:00:00:91 (device-0050) via 172.16.0.199 [3600]
+<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70: peer holds all free leases
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.11 from aa:bb:cc:00:00:c8 (device-0003) via 172.16.0.6
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.11 to aa:bb:cc:00:00:c8 (device-0003) via 172.16.0.6 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.240 (device-0015) from aa:bb:cc:00:00:92 via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.240 to aa:bb:cc:00:00:92 (device-0001) via 10.1.0.3 [3600]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.12 from aa:bb:cc:00:00:c9 (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.12 to aa:bb:cc:00:00:c9 (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.13 from aa:bb:cc:00:00:ca (device-0001) via 172.16.0.57
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.13 to aa:bb:cc:00:00:ca (device-0001) via 172.16.0.57 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.13 from aa:bb:cc:00:00:ca (device-0001) via 172.16.0.58
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.13 to aa:bb:cc:00:00:ca (device-0001) via 172.16.0.58 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: bind update on 172.16.1.13 got ack from dhcp-server.example.net: xid mismatch.
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.14 from aa:bb:cc:00:00:cb (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.14 to aa:bb:cc:00:00:cb (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.15 from aa:bb:cc:00:00:cc (device-0003) via 172.16.0.135
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.15 to aa:bb:cc:00:00:cc (device-0003) via 172.16.0.135 [86400]
+<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42: peer holds all free leases
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.249 (device-0040) from aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.249 to aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.16 from aa:bb:cc:00:00:cd (device-0056) via 10.1.0.11
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.16 to aa:bb:cc:00:00:cd (device-0056) via 10.1.0.11 [86400]
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.17 from aa:bb:cc:00:00:ce (device-0057) via 10.1.0.45
+<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.17 to aa:bb:cc:00:00:ce (device-0057) via 10.1.0.45 [86400]
+<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.18 from aa:bb:cc:00:00:cf (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.18 to aa:bb:cc:00:00:cf (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.1.19 from aa:bb:cc:00:00:d0 via 10.1.0.129
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.1.19 to aa:bb:cc:00:00:d0 via 10.1.0.129 [28800]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.20 from aa:bb:cc:00:00:d1 (device-0058) via 172.16.1.21
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.20 to aa:bb:cc:00:00:d1 (device-0058) via 172.16.1.21 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.22 from aa:bb:cc:00:00:d2 (device-0003) via 172.16.0.176
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.22 to aa:bb:cc:00:00:d2 (device-0003) via 172.16.0.176 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.23 from aa:bb:cc:00:00:d3 (device-0003) via 172.16.0.176
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.23 to aa:bb:cc:00:00:d3 (device-0003) via 172.16.0.176 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.24 from aa:bb:cc:00:00:d4 (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.24 to aa:bb:cc:00:00:d4 (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:d5 (device-0059) via 10.1.0.235
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPOFFER on 10.1.1.25 to aa:bb:cc:00:00:d5 (device-0060) via 10.1.0.235 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.1.25 (device-0040) from aa:bb:cc:00:00:d5 (device-0060) via 10.1.0.235
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.1.25 to aa:bb:cc:00:00:d5 (device-0060) via 10.1.0.235 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.26 from aa:bb:cc:00:00:d6 (device-0003) via 172.16.0.38
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.26 to aa:bb:cc:00:00:d6 (device-0003) via 172.16.0.38 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.27 from aa:bb:cc:00:00:d7 (device-0003) via 172.16.0.99
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.27 to aa:bb:cc:00:00:d7 (device-0003) via 172.16.0.99 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.28 from aa:bb:cc:00:00:d8 (device-0003) via 172.16.0.152
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.28 to aa:bb:cc:00:00:d8 (device-0003) via 172.16.0.152 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.29 from aa:bb:cc:00:00:d9 (device-0003) via 172.16.1.30
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.29 to aa:bb:cc:00:00:d9 (device-0003) via 172.16.1.30 [86400]
+<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44: peer holds all free leases
+<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:da via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.0.253 from aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.0.253 to aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.31 from aa:bb:cc:00:00:db (device-0003) via 172.16.0.6
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.31 to aa:bb:cc:00:00:db (device-0003) via 172.16.0.6 [86400]
+<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:31 via 10.1.0.71: peer holds all free leases
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.32 from aa:bb:cc:00:00:dc (device-0003) via 172.16.0.36
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.32 to aa:bb:cc:00:00:dc (device-0003) via 172.16.0.36 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.0.25 from aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.0.25 to aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.33 from aa:bb:cc:00:00:dd (device-0003) via 172.16.1.34
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.33 to aa:bb:cc:00:00:dd (device-0003) via 172.16.1.34 [86400]
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.35 from aa:bb:cc:00:00:de (device-0003) via 172.16.0.184
+<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.35 to aa:bb:cc:00:00:de (device-0003) via 172.16.0.184 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.36 from aa:bb:cc:00:00:df (device-0003) via 172.16.0.247
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.36 to aa:bb:cc:00:00:df (device-0003) via 172.16.0.247 [86400]
+<27>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84: peer holds all free leases
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.37 from aa:bb:cc:00:00:e0 (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.37 to aa:bb:cc:00:00:e0 (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.38 from aa:bb:cc:00:00:e1 (device-0003) via 172.16.0.49
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.38 to aa:bb:cc:00:00:e1 (device-0003) via 172.16.0.49 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.39 from aa:bb:cc:00:00:e2 (device-0061) via 10.1.0.3
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.39 to aa:bb:cc:00:00:e2 (device-0061) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211: peer holds all free leases
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.40 from aa:bb:cc:00:00:e3 (device-0003) via 172.16.0.36
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.40 to aa:bb:cc:00:00:e3 (device-0003) via 172.16.0.36 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.41 from aa:bb:cc:00:00:e4 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.41 to aa:bb:cc:00:00:e4 (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.42 from aa:bb:cc:00:00:e5 (device-0003) via 172.16.0.160
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.42 to aa:bb:cc:00:00:e5 (device-0003) via 172.16.0.160 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.43 from aa:bb:cc:00:00:e6 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.43 to aa:bb:cc:00:00:e6 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.44 from aa:bb:cc:00:00:e7 (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.44 to aa:bb:cc:00:00:e7 (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:e8 via 172.16.0.107
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.45 from aa:bb:cc:00:00:e9 (device-0003) via 172.16.0.15
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.45 to aa:bb:cc:00:00:e9 (device-0003) via 172.16.0.15 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.46 from aa:bb:cc:00:00:ea (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.46 to aa:bb:cc:00:00:ea (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.0.19 from aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.0.19 to aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13 [28800]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.47 from aa:bb:cc:00:00:eb (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.47 to aa:bb:cc:00:00:eb (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.48 from aa:bb:cc:00:00:ec (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.48 to aa:bb:cc:00:00:ec (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.49 from aa:bb:cc:00:00:ed via 172.16.1.50
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.49 to aa:bb:cc:00:00:ed via 172.16.1.50 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.51 from aa:bb:cc:00:00:ee (device-0003) via 172.16.1.52
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.51 to aa:bb:cc:00:00:ee (device-0003) via 172.16.1.52 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.53 from aa:bb:cc:00:00:ef (device-0003) via 172.16.0.234
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.53 to aa:bb:cc:00:00:ef (device-0003) via 172.16.0.234 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.54 from aa:bb:cc:00:00:f0 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.54 to aa:bb:cc:00:00:f0 (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:f1 via 172.16.1.55: peer holds all free leases
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.56 from aa:bb:cc:00:00:f2 (device-0003) via 172.16.1.34
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.56 to aa:bb:cc:00:00:f2 (device-0003) via 172.16.1.34 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.57 from aa:bb:cc:00:00:f3 (device-0062) via 172.16.0.172
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.57 to aa:bb:cc:00:00:f3 (device-0062) via 172.16.0.172 [65452]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.58 from aa:bb:cc:00:00:f4 (device-0003) via 172.16.0.145
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.58 to aa:bb:cc:00:00:f4 (device-0003) via 172.16.0.145 [86400]
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.59 from aa:bb:cc:00:00:f5 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.59 to aa:bb:cc:00:00:f5 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.60 from aa:bb:cc:00:00:f6 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.60 to aa:bb:cc:00:00:f6 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.61 from aa:bb:cc:00:00:f7 (device-0003) via 172.16.0.176
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.61 to aa:bb:cc:00:00:f7 (device-0003) via 172.16.0.176 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.62 from aa:bb:cc:00:00:f8 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.62 to aa:bb:cc:00:00:f8 (device-0003) via 172.16.0.52 [86400]
+<27>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:a3 via 172.16.0.221: peer holds all free leases
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.63 from aa:bb:cc:00:00:f9 (device-0003) via 172.16.0.38
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.63 to aa:bb:cc:00:00:f9 (device-0003) via 172.16.0.38 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.0.92 from aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.0.92 to aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.64 from aa:bb:cc:00:00:fa via 10.1.1.65
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.64 to aa:bb:cc:00:00:fa via 10.1.1.65 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.66 from aa:bb:cc:00:00:fb (device-0003) via 172.16.0.116
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.66 to aa:bb:cc:00:00:fb (device-0003) via 172.16.0.116 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.67 from aa:bb:cc:00:00:fc (device-0003) via 172.16.0.49
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.67 to aa:bb:cc:00:00:fc (device-0003) via 172.16.0.49 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.68 from aa:bb:cc:00:00:fd (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.68 to aa:bb:cc:00:00:fd (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:fe via 172.16.1.69
+<27>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:ff via 10.1.1.70: peer holds all free leases
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPOFFER on 172.16.1.71 to aa:bb:cc:00:00:e8 (device-0063) via 172.16.0.107 [3599]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.72 from aa:bb:cc:00:01:00 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.72 to aa:bb:cc:00:01:00 (device-0003) via 172.16.0.40 [86400]
+<27>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.73 from aa:bb:cc:00:01:01 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.73 to aa:bb:cc:00:01:01 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.74 from aa:bb:cc:00:01:02 (device-0003) via 172.16.0.86
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.74 to aa:bb:cc:00:01:02 (device-0003) via 172.16.0.86 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.75 from aa:bb:cc:00:01:03 (device-0003) via 172.16.0.17
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.75 to aa:bb:cc:00:01:03 (device-0003) via 172.16.0.17 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.76 from aa:bb:cc:00:01:04 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.76 to aa:bb:cc:00:01:04 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.77 (device-0040) from aa:bb:cc:00:00:92 via 10.1.0.3
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.77 to aa:bb:cc:00:00:92 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.78 from aa:bb:cc:00:01:05 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.78 to aa:bb:cc:00:01:05 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.0.108 from aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.0.108 to aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109 [86400]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.79 from aa:bb:cc:00:01:06 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.79 to aa:bb:cc:00:01:06 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.80 from aa:bb:cc:00:01:07 (device-0003) via 172.16.1.81
+<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.80 to aa:bb:cc:00:01:07 (device-0003) via 172.16.1.81 [86400]
+<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.0.118 from aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.0.118 to aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.82 from aa:bb:cc:00:01:08 (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.82 to aa:bb:cc:00:01:08 (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.83 from aa:bb:cc:00:01:09 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.83 to aa:bb:cc:00:01:09 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.84 from aa:bb:cc:00:01:0a (device-0003) via 172.16.1.85
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.84 to aa:bb:cc:00:01:0a (device-0003) via 172.16.1.85 [86400]
+<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:01:0b via 172.16.1.86: peer holds all free leases
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.87 from aa:bb:cc:00:01:0c (device-0003) via 172.16.0.124
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.87 to aa:bb:cc:00:01:0c (device-0003) via 172.16.0.124 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.5 from aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.5 to aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.88 from aa:bb:cc:00:01:0d (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.88 to aa:bb:cc:00:01:0d (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.14 from aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.14 to aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.89 from aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.89 to aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPOFFER on 172.16.1.90 to aa:bb:cc:00:00:fe (device-0064) via 172.16.1.69 [3599]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:fe via 172.16.1.69
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPOFFER on 172.16.1.90 to aa:bb:cc:00:00:fe (device-0064) via 172.16.1.69 [3600]
+<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:da via 172.16.0.44: peer holds all free leases
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.21 from aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.21 to aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22 [86400]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.91 from aa:bb:cc:00:01:0f (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.91 to aa:bb:cc:00:01:0f (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.23 from aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.23 to aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24 [86400]
+<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:01:10 via 10.1.0.129: peer holds all free leases
+<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107: peer holds all free leases
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.92 from aa:bb:cc:00:01:11 (device-0065) via 10.1.0.3
+<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.92 to aa:bb:cc:00:01:11 (device-0065) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215: peer holds all free leases
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.35 from aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.35 to aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.37 from aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.37 to aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.93 from aa:bb:cc:00:01:12 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.93 to aa:bb:cc:00:01:12 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.39 from aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.39 to aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40 [86400]
+<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211: peer holds all free leases
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.94 from aa:bb:cc:00:01:13 (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.94 to aa:bb:cc:00:01:13 (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.136 (device-0015) from aa:bb:cc:00:00:61 via 172.16.0.137: unknown lease 172.16.0.136.
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.0.149 from aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.0.149 to aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.95 from aa:bb:cc:00:01:14 via lagg1
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.95 to aa:bb:cc:00:01:14 via lagg1 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.96 from aa:bb:cc:00:01:15 (device-0066) via lagg1
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.96 to aa:bb:cc:00:01:15 (device-0066) via lagg1 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.48 from aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.48 to aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.53 from aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.53 to aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.51 from aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.51 to aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.54 from aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.54 to aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.97 from aa:bb:cc:00:01:16 (device-0067) via 10.1.0.45
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.97 to aa:bb:cc:00:01:16 (device-0067) via 10.1.0.45 [65483]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.98 from aa:bb:cc:00:01:17 (device-0068) via lagg1
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.98 to aa:bb:cc:00:01:17 (device-0068) via lagg1 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.61 from aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.61 to aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62 [86400]
+<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70: peer holds all free leases
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.64 from aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.64 to aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.65 from aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.65 to aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.99 from aa:bb:cc:00:01:18 (device-0069) via 10.1.1.100
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.99 to aa:bb:cc:00:01:18 (device-0069) via 10.1.1.100 [55932]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:01:19 via 10.1.1.101
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPOFFER on 10.1.1.102 to aa:bb:cc:00:01:19 via 10.1.1.101 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.102 (device-0015) from aa:bb:cc:00:01:19 via 10.1.1.101
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.102 to aa:bb:cc:00:01:19 via 10.1.1.101 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.103 from aa:bb:cc:00:01:1a (device-0001) via 172.16.0.57
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.103 to aa:bb:cc:00:01:1a (device-0001) via 172.16.0.57 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.103 from aa:bb:cc:00:01:1a (device-0001) via 172.16.0.58
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.103 to aa:bb:cc:00:01:1a (device-0001) via 172.16.0.58 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: bind update on 172.16.1.103 got ack from dhcp-server.example.net: xid mismatch.
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.67 from aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.67 to aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68 [86400]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.104 from aa:bb:cc:00:01:1b (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.104 to aa:bb:cc:00:01:1b (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.105 from aa:bb:cc:00:01:1c (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.105 to aa:bb:cc:00:01:1c (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.106 from aa:bb:cc:00:01:1d (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.106 to aa:bb:cc:00:01:1d (device-0001) via 10.1.0.3 [28800]
+<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215: peer holds all free leases
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.107 from aa:bb:cc:00:01:1e (device-0070) via 172.16.0.57
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.107 to aa:bb:cc:00:01:1e (device-0070) via 172.16.0.57 [28800]
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.107 from aa:bb:cc:00:01:1e (device-0070) via 172.16.0.58
+<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.107 to aa:bb:cc:00:01:1e (device-0070) via 172.16.0.58 [28800]
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 172.16.0.73 from aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 172.16.0.73 to aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52 [86400]
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 10.1.1.89 from aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 10.1.1.89 to aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:51 dhcpd[46177]: bind update on 172.16.1.107 got ack from dhcp-server.example.net: xid mismatch.
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 10.1.1.108 from aa:bb:cc:00:01:1f (device-0001) via 10.1.0.3
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 10.1.1.108 to aa:bb:cc:00:01:1f (device-0001) via 10.1.0.3 [28800]
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 172.16.0.75 from aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 172.16.0.75 to aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76 [86400]
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 172.16.0.77 from aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24
+<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 172.16.0.77 to aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24 [86400]
\ No newline at end of file
diff --git a/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dhcp.log-expected.json b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dhcp.log-expected.json
new file mode 100644
index 00000000000..aa3508328e0
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dhcp.log-expected.json
@@ -0,0 +1,12834 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2026-04-17T13:07:38.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:38.000Z",
+                "original": "<27>Apr 17 13:07:38 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.2 from aa:bb:cc:00:00:02 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.2 to aa:bb:cc:00:00:02 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.4 from aa:bb:cc:00:00:03 (device-0002) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.4 to aa:bb:cc:00:00:03 (device-0002) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.5 from aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.5 to aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPINFORM from 10.1.0.7 via 10.1.0.8"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK to 10.1.0.7 (device-0004) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.9 from aa:bb:cc:00:00:06 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.9 to aa:bb:cc:00:00:06 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.10 from aa:bb:cc:00:00:07 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.10 to aa:bb:cc:00:00:07 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<27>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.12 from aa:bb:cc:00:00:09 (device-0005) via 10.1.0.13"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.12 to aa:bb:cc:00:00:09 (device-0005) via 10.1.0.13 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.14 from aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.14 to aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0b via 172.16.0.16"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0c via 172.16.0.17"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPOFFER on 172.16.0.18 to aa:bb:cc:00:00:0c (device-0006) via 172.16.0.17 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.19 from aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.19 to aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<27>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.21 from aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.21 to aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.23 from aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.23 to aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.25 from aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.25 to aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.27 from aa:bb:cc:00:00:12 via 10.1.0.28"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.27 to aa:bb:cc:00:00:12 (device-0009) via 10.1.0.28 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:13 via 10.1.0.29"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<27>Apr 17 13:07:39 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:13 via 10.1.0.29: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.30 from aa:bb:cc:00:00:14 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.30 to aa:bb:cc:00:00:14 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.31 from aa:bb:cc:00:00:15 (device-0010) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.31 to aa:bb:cc:00:00:15 (device-0010) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPINFORM from 10.1.0.32 via 10.1.0.33"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK to 10.1.0.32 (device-0011) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 10.1.0.34 from aa:bb:cc:00:00:17 (device-0012) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 10.1.0.34 to aa:bb:cc:00:00:17 (device-0012) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.35 from aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.35 to aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.37 from aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.37 to aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPREQUEST for 172.16.0.39 from aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:39.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:39.000Z",
+                "original": "<30>Apr 17 13:07:39 dhcpd[46177]: DHCPACK on 172.16.0.39 to aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.41 from aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.41 to aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.43 from aa:bb:cc:00:00:1e (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.43 to aa:bb:cc:00:00:1e (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:20 via 10.1.0.45"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:20 via 10.1.0.45: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPOFFER on 10.1.0.47 to aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.48 from aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.48 to aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.47 (device-0015) from aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.47 to aa:bb:cc:00:00:22 (device-0014) via 10.1.0.46 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.51 from aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.51 to aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.53 from aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.53 to aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.54 from aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.54 to aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.56 from aa:bb:cc:00:00:27 (device-0016) via 172.16.0.57"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.56 to aa:bb:cc:00:00:27 (device-0016) via 172.16.0.57 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.56 from aa:bb:cc:00:00:27 (device-0016) via 172.16.0.58"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.56 to aa:bb:cc:00:00:27 (device-0016) via 172.16.0.58 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "bind update on 172.16.0.56 got ack from dhcp-server.example.net"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: bind update on 172.16.0.56 got ack from dhcp-server.example.net: xid mismatch."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPOFFER on 172.16.0.59 to aa:bb:cc:00:00:0b (device-0017) via 172.16.0.16 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.60 from aa:bb:cc:00:00:28 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.60 to aa:bb:cc:00:00:28 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.61 from aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.61 to aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.63 from aa:bb:cc:00:00:2a (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.63 to aa:bb:cc:00:00:2a (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.64 from aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.64 to aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.65 from aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.65 to aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.66 from aa:bb:cc:00:00:2d (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.66 to aa:bb:cc:00:00:2d (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.67 from aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.67 to aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.69 from aa:bb:cc:00:00:2f (device-0018) via 172.16.0.57"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.69 to aa:bb:cc:00:00:2f (device-0018) via 172.16.0.57 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.69 from aa:bb:cc:00:00:2f (device-0018) via 172.16.0.58"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.69 to aa:bb:cc:00:00:2f (device-0018) via 172.16.0.58 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "bind update on 172.16.0.69 got ack from dhcp-server.example.net"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: bind update on 172.16.0.69 got ack from dhcp-server.example.net: xid mismatch."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:31 via 10.1.0.71"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:31 via 10.1.0.71: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.72 from aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.72 to aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.73 from aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.73 to aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.74 from aa:bb:cc:00:00:34 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.74 to aa:bb:cc:00:00:34 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.75 from aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.75 to aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.77 from aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.77 to aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:37 via 10.1.0.78"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<27>Apr 17 13:07:40 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:37 via 10.1.0.78: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 10.1.0.79 from aa:bb:cc:00:00:38 (device-0020) via 10.1.0.80"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 10.1.0.79 to aa:bb:cc:00:00:38 (device-0020) via 10.1.0.80 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPREQUEST for 172.16.0.81 from aa:bb:cc:00:00:39 (device-0021) via 172.16.0.82"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:40.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:40.000Z",
+                "original": "<30>Apr 17 13:07:40 dhcpd[46177]: DHCPACK on 172.16.0.81 to aa:bb:cc:00:00:39 (device-0021) via 172.16.0.82 [73206]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.83 from aa:bb:cc:00:00:3a (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.83 to aa:bb:cc:00:00:3a (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.85 from aa:bb:cc:00:00:3c (device-0003) via 172.16.0.86"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.85 to aa:bb:cc:00:00:3c (device-0003) via 172.16.0.86 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.87 from aa:bb:cc:00:00:3d (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.87 to aa:bb:cc:00:00:3d (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 10.1.0.88 via 10.1.0.89"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 10.1.0.88 (device-0022) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.90 from aa:bb:cc:00:00:3f (device-0003) via 172.16.0.55"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.90 to aa:bb:cc:00:00:3f (device-0003) via 172.16.0.55 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 10.1.0.27 via 10.1.0.28"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 10.1.0.27 (device-0023) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.91 from aa:bb:cc:00:00:40 (device-0003) via 172.16.0.38"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.91 to aa:bb:cc:00:00:40 (device-0003) via 172.16.0.38 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.92 from aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.92 to aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.94 from aa:bb:cc:00:00:42 (device-0003) via 172.16.0.49"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.94 to aa:bb:cc:00:00:42 (device-0003) via 172.16.0.49 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.95 from aa:bb:cc:00:00:43 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.95 to aa:bb:cc:00:00:43 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0b via 172.16.0.16"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPOFFER on 172.16.0.59 to aa:bb:cc:00:00:0b (device-0017) via 172.16.0.16 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.96 from aa:bb:cc:00:00:44 (device-0025) via 172.16.0.97"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.96 to aa:bb:cc:00:00:44 (device-0025) via 172.16.0.97 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.98 from aa:bb:cc:00:00:45 (device-0003) via 172.16.0.99"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.98 to aa:bb:cc:00:00:45 (device-0003) via 172.16.0.99 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.100 from aa:bb:cc:00:00:46 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.100 to aa:bb:cc:00:00:46 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.101 from aa:bb:cc:00:00:47 (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.101 to aa:bb:cc:00:00:47 (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.102 from aa:bb:cc:00:00:48 (device-0003) via 172.16.0.55"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.102 to aa:bb:cc:00:00:48 (device-0003) via 172.16.0.55 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 172.16.0.103 via 172.16.0.104"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 172.16.0.103 (device-0026) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.105 from aa:bb:cc:00:00:4a (device-0003) via 172.16.0.106"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.105 to aa:bb:cc:00:00:4a (device-0003) via 172.16.0.106 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:13 via 10.1.0.29"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:13 via 10.1.0.29: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.108 from aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.108 to aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.110 from aa:bb:cc:00:00:4d (device-0003) via 172.16.0.55"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.110 to aa:bb:cc:00:00:4d (device-0003) via 172.16.0.55 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.111 from aa:bb:cc:00:00:4e (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.111 to aa:bb:cc:00:00:4e (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.112 from aa:bb:cc:00:00:4f (device-0003) via 172.16.0.113"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.112 to aa:bb:cc:00:00:4f (device-0003) via 172.16.0.113 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPINFORM from 10.1.0.114 via 10.1.0.89"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK to 10.1.0.114 (device-0028) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.115 from aa:bb:cc:00:00:51 (device-0003) via 172.16.0.116"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.115 to aa:bb:cc:00:00:51 (device-0003) via 172.16.0.116 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.117 from aa:bb:cc:00:00:52 (device-0003) via 172.16.0.62"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.117 to aa:bb:cc:00:00:52 (device-0003) via 172.16.0.62 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.118 from aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.118 to aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:54 via 172.16.0.120"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:54 via 172.16.0.120: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.121 from aa:bb:cc:00:00:55 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.121 to aa:bb:cc:00:00:55 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.122 from aa:bb:cc:00:00:56 (device-0003) via 172.16.0.62"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.122 to aa:bb:cc:00:00:56 (device-0003) via 172.16.0.62 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 172.16.0.123 from aa:bb:cc:00:00:57 (device-0003) via 172.16.0.124"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 172.16.0.123 to aa:bb:cc:00:00:57 (device-0003) via 172.16.0.124 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPREQUEST for 10.1.0.125 from aa:bb:cc:00:00:58 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<30>Apr 17 13:07:41 dhcpd[46177]: DHCPACK on 10.1.0.125 to aa:bb:cc:00:00:58 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:41.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:41.000Z",
+                "original": "<27>Apr 17 13:07:41 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.126 from aa:bb:cc:00:00:59 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.126 to aa:bb:cc:00:00:59 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.127 from aa:bb:cc:00:00:5a (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.127 to aa:bb:cc:00:00:5a (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:5b via 172.16.0.124"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.128 from aa:bb:cc:00:00:5c via 10.1.0.129"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.128 to aa:bb:cc:00:00:5c via 10.1.0.129 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.130 from aa:bb:cc:00:00:5d (device-0030) via 172.16.0.131"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.130 to aa:bb:cc:00:00:5d (device-0030) via 172.16.0.131 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.72 from aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.72 to aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.132 from aa:bb:cc:00:00:5e (device-0031) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.132 to aa:bb:cc:00:00:5e (device-0031) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.133 from aa:bb:cc:00:00:5f (device-0003) via 172.16.0.15"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.133 to aa:bb:cc:00:00:5f (device-0003) via 172.16.0.15 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.134 from aa:bb:cc:00:00:60 (device-0003) via 172.16.0.135"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.134 to aa:bb:cc:00:00:60 (device-0003) via 172.16.0.135 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPREQUEST for 172.16.0.136 (device-0015) from aa:bb:cc:00:00:61 via 172.16.0.137"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.136 (device-0015) from aa:bb:cc:00:00:61 via 172.16.0.137: unknown lease 172.16.0.136."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.138 from aa:bb:cc:00:00:62 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.138 to aa:bb:cc:00:00:62 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.139 from aa:bb:cc:00:00:63 (device-0032) via 10.1.0.140"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.139 to aa:bb:cc:00:00:63 (device-0032) via 10.1.0.140 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.141 from aa:bb:cc:00:00:64 (device-0003) via 172.16.0.15"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.141 to aa:bb:cc:00:00:64 (device-0003) via 172.16.0.15 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.142 from aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.142 to aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:66 via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.144 from aa:bb:cc:00:00:67 (device-0003) via 172.16.0.145"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.144 to aa:bb:cc:00:00:67 (device-0003) via 172.16.0.145 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.146 from aa:bb:cc:00:00:68 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.146 to aa:bb:cc:00:00:68 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.147 from aa:bb:cc:00:00:69 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.147 to aa:bb:cc:00:00:69 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.148 from aa:bb:cc:00:00:6a (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.148 to aa:bb:cc:00:00:6a (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.149 from aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.149 to aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.151 from aa:bb:cc:00:00:6c (device-0003) via 172.16.0.152"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.151 to aa:bb:cc:00:00:6c (device-0003) via 172.16.0.152 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.153 from aa:bb:cc:00:00:6d (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.153 to aa:bb:cc:00:00:6d (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.154 from aa:bb:cc:00:00:6e (device-0003) via 172.16.0.155"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.154 to aa:bb:cc:00:00:6e (device-0003) via 172.16.0.155 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.156 from aa:bb:cc:00:00:6f (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.156 to aa:bb:cc:00:00:6f (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.157 from aa:bb:cc:00:00:70 (device-0003) via 172.16.0.135"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.157 to aa:bb:cc:00:00:70 (device-0003) via 172.16.0.135 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.158 from aa:bb:cc:00:00:71 (device-0003) via 172.16.0.152"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.158 to aa:bb:cc:00:00:71 (device-0003) via 172.16.0.152 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:20 via 10.1.0.45"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:20 via 10.1.0.45: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.159 from aa:bb:cc:00:00:72 (device-0003) via 172.16.0.160"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.159 to aa:bb:cc:00:00:72 (device-0003) via 172.16.0.160 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 172.16.0.161 from aa:bb:cc:00:00:73 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 172.16.0.161 to aa:bb:cc:00:00:73 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPREQUEST for 10.1.0.162 from aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<30>Apr 17 13:07:42 dhcpd[46177]: DHCPACK on 10.1.0.162 to aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:42.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:42.000Z",
+                "original": "<27>Apr 17 13:07:42 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<27>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<27>Apr 17 13:07:43 dhcpd[46177]: sqlite3 [database is locked] 1253, will retry in 1s"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.163 from aa:bb:cc:00:00:76 (device-0003) via 172.16.0.164"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.163 to aa:bb:cc:00:00:76 (device-0003) via 172.16.0.164 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.165 from aa:bb:cc:00:00:77 (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.165 to aa:bb:cc:00:00:77 (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.166 from aa:bb:cc:00:00:78 (device-0003) via 172.16.0.6"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.166 to aa:bb:cc:00:00:78 (device-0003) via 172.16.0.6 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.167 from aa:bb:cc:00:00:79 (device-0016) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.167 to aa:bb:cc:00:00:79 (device-0016) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.168 from aa:bb:cc:00:00:7a (device-0003) via 172.16.0.99"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.168 to aa:bb:cc:00:00:7a (device-0003) via 172.16.0.99 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.169 from aa:bb:cc:00:00:7b (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.169 to aa:bb:cc:00:00:7b (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPOFFER on 172.16.0.170 to aa:bb:cc:00:00:5b (device-0035) via 172.16.0.124 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<27>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<27>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.171 from aa:bb:cc:00:00:7c (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.171 to aa:bb:cc:00:00:7c (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:7d via 172.16.0.172"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.173 from aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.173 to aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.174 from aa:bb:cc:00:00:7f (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.174 to aa:bb:cc:00:00:7f (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.175 from aa:bb:cc:00:00:80 (device-0003) via 172.16.0.176"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.175 to aa:bb:cc:00:00:80 (device-0003) via 172.16.0.176 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.177 from aa:bb:cc:00:00:81 (device-0003) via 172.16.0.86"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.177 to aa:bb:cc:00:00:81 (device-0003) via 172.16.0.86 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.178 from aa:bb:cc:00:00:82 (device-0036) via 10.1.0.179"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.178 to aa:bb:cc:00:00:82 (device-0036) via 10.1.0.179 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.180 from aa:bb:cc:00:00:83 (device-0003) via 172.16.0.181"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.180 to aa:bb:cc:00:00:83 (device-0003) via 172.16.0.181 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.182 from aa:bb:cc:00:00:84 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.182 to aa:bb:cc:00:00:84 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.183 from aa:bb:cc:00:00:85 (device-0003) via 172.16.0.184"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.183 to aa:bb:cc:00:00:85 (device-0003) via 172.16.0.184 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.185 from aa:bb:cc:00:00:86 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.185 to aa:bb:cc:00:00:86 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.186 from aa:bb:cc:00:00:87 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.186 to aa:bb:cc:00:00:87 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPOFFER on 10.1.0.187 to aa:bb:cc:00:00:66 (device-0037) via 10.1.0.3 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.188 from aa:bb:cc:00:00:88 (device-0003) via 172.16.0.176"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.188 to aa:bb:cc:00:00:88 (device-0003) via 172.16.0.176 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.187 (device-0015) from aa:bb:cc:00:00:66 via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.187 to aa:bb:cc:00:00:66 (device-0037) via 10.1.0.3 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.189 from aa:bb:cc:00:00:89 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.189 to aa:bb:cc:00:00:89 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.190 from aa:bb:cc:00:00:8a (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.190 to aa:bb:cc:00:00:8a (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.191 from aa:bb:cc:00:00:8b (device-0003) via 172.16.0.192"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.191 to aa:bb:cc:00:00:8b (device-0003) via 172.16.0.192 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.193 from aa:bb:cc:00:00:8c (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.193 to aa:bb:cc:00:00:8c (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.194 from aa:bb:cc:00:00:8d (device-0003) via 172.16.0.176"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.194 to aa:bb:cc:00:00:8d (device-0003) via 172.16.0.176 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.195 from aa:bb:cc:00:00:8e (device-0003) via 172.16.0.196"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.195 to aa:bb:cc:00:00:8e (device-0003) via 172.16.0.196 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.197 from aa:bb:cc:00:00:8f (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.197 to aa:bb:cc:00:00:8f (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.198 from aa:bb:cc:00:00:90 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.198 to aa:bb:cc:00:00:90 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:91 via 172.16.0.199"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:92 via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.200 from aa:bb:cc:00:00:93 (device-0003) via 172.16.0.201"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.200 to aa:bb:cc:00:00:93 (device-0003) via 172.16.0.201 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.202 from aa:bb:cc:00:00:94 via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.202 to aa:bb:cc:00:00:94 via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.203 from aa:bb:cc:00:00:95 (device-0003) via 172.16.0.204"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.203 to aa:bb:cc:00:00:95 (device-0003) via 172.16.0.204 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.205 from aa:bb:cc:00:00:96 (device-0003) via 172.16.0.49"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.205 to aa:bb:cc:00:00:96 (device-0003) via 172.16.0.49 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.206 from aa:bb:cc:00:00:97 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.206 to aa:bb:cc:00:00:97 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 172.16.0.207 from aa:bb:cc:00:00:98 (device-0003) via 172.16.0.152"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 172.16.0.207 to aa:bb:cc:00:00:98 (device-0003) via 172.16.0.152 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.142 from aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.142 to aa:bb:cc:00:00:65 (device-0033) via 10.1.0.143 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPREQUEST for 10.1.0.208 from aa:bb:cc:00:00:99 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:43.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:43.000Z",
+                "original": "<30>Apr 17 13:07:43 dhcpd[46177]: DHCPACK on 10.1.0.208 to aa:bb:cc:00:00:99 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.209 from aa:bb:cc:00:00:9a (device-0038) via 10.1.0.119"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.209 to aa:bb:cc:00:00:9a (device-0038) via 10.1.0.119 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.210 from aa:bb:cc:00:00:9b (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.210 to aa:bb:cc:00:00:9b (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9d (device-0039) via 172.16.0.212"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.213 to aa:bb:cc:00:00:9d (device-0039) via 172.16.0.212 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.214 from aa:bb:cc:00:00:9e (device-0003) via 172.16.0.15"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.214 to aa:bb:cc:00:00:9e (device-0003) via 172.16.0.15 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.216 (device-0040) from aa:bb:cc:00:00:a0 (device-0041) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.216 to aa:bb:cc:00:00:a0 (device-0041) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:5b via 172.16.0.124"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.170 to aa:bb:cc:00:00:5b (device-0035) via 172.16.0.124 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.218 from aa:bb:cc:00:00:a1 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.218 to aa:bb:cc:00:00:a1 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.162 from aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.162 to aa:bb:cc:00:00:74 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.219 to aa:bb:cc:00:00:7d (device-0042) via 172.16.0.172 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.220 from aa:bb:cc:00:00:a2 (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.220 to aa:bb:cc:00:00:a2 (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:a3 via 172.16.0.221"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:a3 via 172.16.0.221: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.222 from aa:bb:cc:00:00:a4 (device-0003) via 172.16.0.55"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.222 to aa:bb:cc:00:00:a4 (device-0003) via 172.16.0.55 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.223 from aa:bb:cc:00:00:a5 (device-0043) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.223 to aa:bb:cc:00:00:a5 (device-0043) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.224 from aa:bb:cc:00:00:a6 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.224 to aa:bb:cc:00:00:a6 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.225 from aa:bb:cc:00:00:a7 (device-0003) via 172.16.0.226"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.225 to aa:bb:cc:00:00:a7 (device-0003) via 172.16.0.226 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.173 from aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.173 to aa:bb:cc:00:00:7e (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.228 to aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.228 (device-0015) from aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.228 to aa:bb:cc:00:00:a8 (device-0044) via 10.1.0.227 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.229 from aa:bb:cc:00:00:a9 (device-0045) via 10.1.0.230"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.229 to aa:bb:cc:00:00:a9 (device-0045) via 10.1.0.230 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.231 from aa:bb:cc:00:00:aa (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.231 to aa:bb:cc:00:00:aa (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.232 to aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.232 (device-0015) from aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.232 to aa:bb:cc:00:00:ab (device-0046) via 10.1.0.46 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.233 from aa:bb:cc:00:00:ac (device-0003) via 172.16.0.234"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.233 to aa:bb:cc:00:00:ac (device-0003) via 172.16.0.234 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:ad (device-0047) via 10.1.0.235"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.236 to aa:bb:cc:00:00:ad (device-0048) via 10.1.0.235 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.236 (device-0040) from aa:bb:cc:00:00:ad (device-0048) via 10.1.0.235"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.236 to aa:bb:cc:00:00:ad (device-0048) via 10.1.0.235 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.237 from aa:bb:cc:00:00:ae (device-0003) via 172.16.0.184"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.237 to aa:bb:cc:00:00:ae (device-0003) via 172.16.0.184 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.238 from aa:bb:cc:00:00:af (device-0049) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.238 to aa:bb:cc:00:00:af (device-0049) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 172.16.0.239 to aa:bb:cc:00:00:91 (device-0050) via 172.16.0.199 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.240 to aa:bb:cc:00:00:92 (device-0001) via 10.1.0.3 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.241 from aa:bb:cc:00:00:b0 (device-0003) via 172.16.0.124"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.241 to aa:bb:cc:00:00:b0 (device-0003) via 172.16.0.124 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.242 from aa:bb:cc:00:00:b1 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.242 to aa:bb:cc:00:00:b1 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.243 from aa:bb:cc:00:00:b2 (device-0051) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.243 to aa:bb:cc:00:00:b2 (device-0051) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.244 from aa:bb:cc:00:00:b3 (device-0003) via 172.16.0.116"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.244 to aa:bb:cc:00:00:b3 (device-0003) via 172.16.0.116 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.245 from aa:bb:cc:00:00:b4 (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.245 to aa:bb:cc:00:00:b4 (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.246 from aa:bb:cc:00:00:b5 (device-0003) via 172.16.0.247"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.246 to aa:bb:cc:00:00:b5 (device-0003) via 172.16.0.247 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 10.1.0.248 from aa:bb:cc:00:00:b6 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 10.1.0.248 to aa:bb:cc:00:00:b6 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPOFFER on 10.1.0.249 to aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.250 from aa:bb:cc:00:00:b8 (device-0003) via 172.16.0.135"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.250 to aa:bb:cc:00:00:b8 (device-0003) via 172.16.0.135 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPREQUEST for 172.16.0.251 from aa:bb:cc:00:00:b9 (device-0052) via 172.16.0.252"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<30>Apr 17 13:07:44 dhcpd[46177]: DHCPACK on 172.16.0.251 to aa:bb:cc:00:00:b9 (device-0052) via 172.16.0.252 [64900]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:44.000Z",
+                "original": "<27>Apr 17 13:07:44 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:01 via 172.16.0.1: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.253 from aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.253 to aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.0.254 from aa:bb:cc:00:00:bb (device-0003) via 172.16.0.99"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.0.254 to aa:bb:cc:00:00:bb (device-0003) via 172.16.0.99 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.0.255 from aa:bb:cc:00:00:bc (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.0.255 to aa:bb:cc:00:00:bc (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.0 from aa:bb:cc:00:00:bd (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.0 to aa:bb:cc:00:00:bd (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.1 from aa:bb:cc:00:00:be (device-0053) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.1 to aa:bb:cc:00:00:be (device-0053) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.2 from aa:bb:cc:00:00:bf (device-0003) via 172.16.0.36"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.2 to aa:bb:cc:00:00:bf (device-0003) via 172.16.0.36 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.3 from aa:bb:cc:00:00:c0 (device-0003) via 172.16.0.164"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.3 to aa:bb:cc:00:00:c0 (device-0003) via 172.16.0.164 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:08 via 10.1.0.11: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.4 from aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.57"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.4 to aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.57 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.4 from aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.58"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.4 to aa:bb:cc:00:00:c1 (device-0001) via 172.16.0.58 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "bind update on 172.16.1.4 got ack from dhcp-server.example.net"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: bind update on 172.16.1.4 got ack from dhcp-server.example.net: xid mismatch."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.5 from aa:bb:cc:00:00:c2 (device-0003) via 172.16.0.36"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.5 to aa:bb:cc:00:00:c2 (device-0003) via 172.16.0.36 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.41 from aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.41 to aa:bb:cc:00:00:1b (device-0013) via 10.1.0.13 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.6 from aa:bb:cc:00:00:c3 (device-0054) via 10.1.0.45"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.6 to aa:bb:cc:00:00:c3 (device-0054) via 10.1.0.45 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.7 from aa:bb:cc:00:00:c4 (device-0003) via 172.16.0.184"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.7 to aa:bb:cc:00:00:c4 (device-0003) via 172.16.0.184 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.8 from aa:bb:cc:00:00:c5 (device-0055) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.8 to aa:bb:cc:00:00:c5 (device-0055) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.9 from aa:bb:cc:00:00:c6 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.9 to aa:bb:cc:00:00:c6 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.10 from aa:bb:cc:00:00:c7 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.10 to aa:bb:cc:00:00:c7 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.72 from aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.72 to aa:bb:cc:00:00:32 (device-0019) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:0e via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:91 via 172.16.0.199"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPOFFER on 172.16.0.239 to aa:bb:cc:00:00:91 (device-0050) via 172.16.0.199 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.11 from aa:bb:cc:00:00:c8 (device-0003) via 172.16.0.6"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.11 to aa:bb:cc:00:00:c8 (device-0003) via 172.16.0.6 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.240 (device-0015) from aa:bb:cc:00:00:92 via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.240 to aa:bb:cc:00:00:92 (device-0001) via 10.1.0.3 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.12 from aa:bb:cc:00:00:c9 (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.12 to aa:bb:cc:00:00:c9 (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.13 from aa:bb:cc:00:00:ca (device-0001) via 172.16.0.57"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.13 to aa:bb:cc:00:00:ca (device-0001) via 172.16.0.57 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.13 from aa:bb:cc:00:00:ca (device-0001) via 172.16.0.58"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.13 to aa:bb:cc:00:00:ca (device-0001) via 172.16.0.58 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "bind update on 172.16.1.13 got ack from dhcp-server.example.net"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: bind update on 172.16.1.13 got ack from dhcp-server.example.net: xid mismatch."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.14 from aa:bb:cc:00:00:cb (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.14 to aa:bb:cc:00:00:cb (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 172.16.1.15 from aa:bb:cc:00:00:cc (device-0003) via 172.16.0.135"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 172.16.1.15 to aa:bb:cc:00:00:cc (device-0003) via 172.16.0.135 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<27>Apr 17 13:07:45 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1d via 10.1.0.42: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.0.249 (device-0040) from aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.0.249 to aa:bb:cc:00:00:b7 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.16 from aa:bb:cc:00:00:cd (device-0056) via 10.1.0.11"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.16 to aa:bb:cc:00:00:cd (device-0056) via 10.1.0.11 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPREQUEST for 10.1.1.17 from aa:bb:cc:00:00:ce (device-0057) via 10.1.0.45"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:45.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:45.000Z",
+                "original": "<30>Apr 17 13:07:45 dhcpd[46177]: DHCPACK on 10.1.1.17 to aa:bb:cc:00:00:ce (device-0057) via 10.1.0.45 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.18 from aa:bb:cc:00:00:cf (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.18 to aa:bb:cc:00:00:cf (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.1.19 from aa:bb:cc:00:00:d0 via 10.1.0.129"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.1.19 to aa:bb:cc:00:00:d0 via 10.1.0.129 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.20 from aa:bb:cc:00:00:d1 (device-0058) via 172.16.1.21"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.20 to aa:bb:cc:00:00:d1 (device-0058) via 172.16.1.21 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.22 from aa:bb:cc:00:00:d2 (device-0003) via 172.16.0.176"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.22 to aa:bb:cc:00:00:d2 (device-0003) via 172.16.0.176 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.23 from aa:bb:cc:00:00:d3 (device-0003) via 172.16.0.176"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.23 to aa:bb:cc:00:00:d3 (device-0003) via 172.16.0.176 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.24 from aa:bb:cc:00:00:d4 (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.24 to aa:bb:cc:00:00:d4 (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:d5 (device-0059) via 10.1.0.235"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPOFFER on 10.1.1.25 to aa:bb:cc:00:00:d5 (device-0060) via 10.1.0.235 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.1.25 (device-0040) from aa:bb:cc:00:00:d5 (device-0060) via 10.1.0.235"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.1.25 to aa:bb:cc:00:00:d5 (device-0060) via 10.1.0.235 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.26 from aa:bb:cc:00:00:d6 (device-0003) via 172.16.0.38"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.26 to aa:bb:cc:00:00:d6 (device-0003) via 172.16.0.38 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.27 from aa:bb:cc:00:00:d7 (device-0003) via 172.16.0.99"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.27 to aa:bb:cc:00:00:d7 (device-0003) via 172.16.0.99 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.28 from aa:bb:cc:00:00:d8 (device-0003) via 172.16.0.152"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.28 to aa:bb:cc:00:00:d8 (device-0003) via 172.16.0.152 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.29 from aa:bb:cc:00:00:d9 (device-0003) via 172.16.1.30"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.29 to aa:bb:cc:00:00:d9 (device-0003) via 172.16.1.30 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1f via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:da via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:da via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.0.253 from aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.0.253 to aa:bb:cc:00:00:ba (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:21 via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.31 from aa:bb:cc:00:00:db (device-0003) via 172.16.0.6"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.31 to aa:bb:cc:00:00:db (device-0003) via 172.16.0.6 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:31 via 10.1.0.71"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<27>Apr 17 13:07:46 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:31 via 10.1.0.71: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.32 from aa:bb:cc:00:00:dc (device-0003) via 172.16.0.36"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.32 to aa:bb:cc:00:00:dc (device-0003) via 172.16.0.36 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 10.1.0.25 from aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 10.1.0.25 to aa:bb:cc:00:00:11 (device-0008) via 10.1.0.26 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.33 from aa:bb:cc:00:00:dd (device-0003) via 172.16.1.34"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.33 to aa:bb:cc:00:00:dd (device-0003) via 172.16.1.34 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPREQUEST for 172.16.1.35 from aa:bb:cc:00:00:de (device-0003) via 172.16.0.184"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:46.000Z",
+                "original": "<30>Apr 17 13:07:46 dhcpd[46177]: DHCPACK on 172.16.1.35 to aa:bb:cc:00:00:de (device-0003) via 172.16.0.184 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.36 from aa:bb:cc:00:00:df (device-0003) via 172.16.0.247"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.36 to aa:bb:cc:00:00:df (device-0003) via 172.16.0.247 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<27>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:3b via 10.1.0.84: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.37 from aa:bb:cc:00:00:e0 (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.37 to aa:bb:cc:00:00:e0 (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.38 from aa:bb:cc:00:00:e1 (device-0003) via 172.16.0.49"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.38 to aa:bb:cc:00:00:e1 (device-0003) via 172.16.0.49 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.39 from aa:bb:cc:00:00:e2 (device-0061) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.39 to aa:bb:cc:00:00:e2 (device-0061) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<27>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.40 from aa:bb:cc:00:00:e3 (device-0003) via 172.16.0.36"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.40 to aa:bb:cc:00:00:e3 (device-0003) via 172.16.0.36 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.41 from aa:bb:cc:00:00:e4 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.41 to aa:bb:cc:00:00:e4 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.42 from aa:bb:cc:00:00:e5 (device-0003) via 172.16.0.160"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.42 to aa:bb:cc:00:00:e5 (device-0003) via 172.16.0.160 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.43 from aa:bb:cc:00:00:e6 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.43 to aa:bb:cc:00:00:e6 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.44 from aa:bb:cc:00:00:e7 (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.44 to aa:bb:cc:00:00:e7 (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:e8 via 172.16.0.107"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.45 from aa:bb:cc:00:00:e9 (device-0003) via 172.16.0.15"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.45 to aa:bb:cc:00:00:e9 (device-0003) via 172.16.0.15 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.46 from aa:bb:cc:00:00:ea (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.46 to aa:bb:cc:00:00:ea (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.0.19 from aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.0.19 to aa:bb:cc:00:00:0d (device-0007) via 10.1.0.13 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.47 from aa:bb:cc:00:00:eb (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.47 to aa:bb:cc:00:00:eb (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.48 from aa:bb:cc:00:00:ec (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.48 to aa:bb:cc:00:00:ec (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.49 from aa:bb:cc:00:00:ed via 172.16.1.50"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.49 to aa:bb:cc:00:00:ed via 172.16.1.50 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.51 from aa:bb:cc:00:00:ee (device-0003) via 172.16.1.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.51 to aa:bb:cc:00:00:ee (device-0003) via 172.16.1.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.53 from aa:bb:cc:00:00:ef (device-0003) via 172.16.0.234"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.53 to aa:bb:cc:00:00:ef (device-0003) via 172.16.0.234 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.54 from aa:bb:cc:00:00:f0 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.54 to aa:bb:cc:00:00:f0 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:f1 via 172.16.1.55"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<27>Apr 17 13:07:47 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:f1 via 172.16.1.55: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.56 from aa:bb:cc:00:00:f2 (device-0003) via 172.16.1.34"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.56 to aa:bb:cc:00:00:f2 (device-0003) via 172.16.1.34 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.57 from aa:bb:cc:00:00:f3 (device-0062) via 172.16.0.172"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.57 to aa:bb:cc:00:00:f3 (device-0062) via 172.16.0.172 [65452]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 172.16.1.58 from aa:bb:cc:00:00:f4 (device-0003) via 172.16.0.145"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 172.16.1.58 to aa:bb:cc:00:00:f4 (device-0003) via 172.16.0.145 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPREQUEST for 10.1.1.59 from aa:bb:cc:00:00:f5 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:47.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:47.000Z",
+                "original": "<30>Apr 17 13:07:47 dhcpd[46177]: DHCPACK on 10.1.1.59 to aa:bb:cc:00:00:f5 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.60 from aa:bb:cc:00:00:f6 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.60 to aa:bb:cc:00:00:f6 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.61 from aa:bb:cc:00:00:f7 (device-0003) via 172.16.0.176"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.61 to aa:bb:cc:00:00:f7 (device-0003) via 172.16.0.176 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.62 from aa:bb:cc:00:00:f8 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.62 to aa:bb:cc:00:00:f8 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:a3 via 172.16.0.221"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<27>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:a3 via 172.16.0.221: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.63 from aa:bb:cc:00:00:f9 (device-0003) via 172.16.0.38"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.63 to aa:bb:cc:00:00:f9 (device-0003) via 172.16.0.38 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.0.92 from aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.0.92 to aa:bb:cc:00:00:41 (device-0024) via 10.1.0.93 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.64 from aa:bb:cc:00:00:fa via 10.1.1.65"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.64 to aa:bb:cc:00:00:fa via 10.1.1.65 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.66 from aa:bb:cc:00:00:fb (device-0003) via 172.16.0.116"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.66 to aa:bb:cc:00:00:fb (device-0003) via 172.16.0.116 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.67 from aa:bb:cc:00:00:fc (device-0003) via 172.16.0.49"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.67 to aa:bb:cc:00:00:fc (device-0003) via 172.16.0.49 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.68 from aa:bb:cc:00:00:fd (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.68 to aa:bb:cc:00:00:fd (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:fe via 172.16.1.69"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:ff via 10.1.1.70"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<27>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:ff via 10.1.1.70: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPOFFER on 172.16.1.71 to aa:bb:cc:00:00:e8 (device-0063) via 172.16.0.107 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.72 from aa:bb:cc:00:01:00 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.72 to aa:bb:cc:00:01:00 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<27>Apr 17 13:07:48 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:75 via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.73 from aa:bb:cc:00:01:01 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.73 to aa:bb:cc:00:01:01 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.74 from aa:bb:cc:00:01:02 (device-0003) via 172.16.0.86"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.74 to aa:bb:cc:00:01:02 (device-0003) via 172.16.0.86 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.75 from aa:bb:cc:00:01:03 (device-0003) via 172.16.0.17"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.75 to aa:bb:cc:00:01:03 (device-0003) via 172.16.0.17 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.76 from aa:bb:cc:00:01:04 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.76 to aa:bb:cc:00:01:04 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.77 (device-0040) from aa:bb:cc:00:00:92 via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.77 to aa:bb:cc:00:00:92 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.78 from aa:bb:cc:00:01:05 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.78 to aa:bb:cc:00:01:05 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.0.108 from aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.0.108 to aa:bb:cc:00:00:4c (device-0027) via 10.1.0.109 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 10.1.1.79 from aa:bb:cc:00:01:06 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 10.1.1.79 to aa:bb:cc:00:01:06 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPREQUEST for 172.16.1.80 from aa:bb:cc:00:01:07 (device-0003) via 172.16.1.81"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:48.000Z",
+                "original": "<30>Apr 17 13:07:48 dhcpd[46177]: DHCPACK on 172.16.1.80 to aa:bb:cc:00:01:07 (device-0003) via 172.16.1.81 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:1c via 10.1.0.20: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.0.118 from aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.0.118 to aa:bb:cc:00:00:53 (device-0029) via 10.1.0.119 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.82 from aa:bb:cc:00:01:08 (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.82 to aa:bb:cc:00:01:08 (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.83 from aa:bb:cc:00:01:09 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.83 to aa:bb:cc:00:01:09 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.84 from aa:bb:cc:00:01:0a (device-0003) via 172.16.1.85"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.84 to aa:bb:cc:00:01:0a (device-0003) via 172.16.1.85 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:01:0b via 172.16.1.86"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:01:0b via 172.16.1.86: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.1.87 from aa:bb:cc:00:01:0c (device-0003) via 172.16.0.124"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.1.87 to aa:bb:cc:00:01:0c (device-0003) via 172.16.0.124 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.5 from aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.5 to aa:bb:cc:00:00:04 (device-0003) via 172.16.0.6 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.88 from aa:bb:cc:00:01:0d (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.88 to aa:bb:cc:00:01:0d (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.14 from aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.14 to aa:bb:cc:00:00:0a (device-0003) via 172.16.0.15 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.89 from aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.89 to aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPOFFER on 172.16.1.90 to aa:bb:cc:00:00:fe (device-0064) via 172.16.1.69 [3599]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:fe via 172.16.1.69"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPOFFER on 172.16.1.90 to aa:bb:cc:00:00:fe (device-0064) via 172.16.1.69 [3600]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:da via 172.16.0.44"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:da via 172.16.0.44: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.21 from aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.21 to aa:bb:cc:00:00:0f (device-0003) via 172.16.0.22 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.91 from aa:bb:cc:00:01:0f (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.91 to aa:bb:cc:00:01:0f (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 172.16.0.23 from aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 172.16.0.23 to aa:bb:cc:00:00:10 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:01:10 via 10.1.0.129"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:01:10 via 10.1.0.129: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<27>Apr 17 13:07:49 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:4b via 172.16.0.107: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPREQUEST for 10.1.1.92 from aa:bb:cc:00:01:11 (device-0065) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:49.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:49.000Z",
+                "original": "<30>Apr 17 13:07:49 dhcpd[46177]: DHCPACK on 10.1.1.92 to aa:bb:cc:00:01:11 (device-0065) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.35 from aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.35 to aa:bb:cc:00:00:18 (device-0003) via 172.16.0.36 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.37 from aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.37 to aa:bb:cc:00:00:19 (device-0003) via 172.16.0.38 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.93 from aa:bb:cc:00:01:12 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.93 to aa:bb:cc:00:01:12 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.39 from aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.39 to aa:bb:cc:00:00:1a (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9c via 172.16.0.211: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.94 from aa:bb:cc:00:01:13 (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.94 to aa:bb:cc:00:01:13 (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPREQUEST for 172.16.0.136 (device-0015) from aa:bb:cc:00:00:61 via 172.16.0.137"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.136 (device-0015) from aa:bb:cc:00:00:61 via 172.16.0.137: unknown lease 172.16.0.136."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.0.149 from aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.0.149 to aa:bb:cc:00:00:6b (device-0034) via 10.1.0.150 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.95 from aa:bb:cc:00:01:14 via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.95 to aa:bb:cc:00:01:14 via lagg1 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.96 from aa:bb:cc:00:01:15 (device-0066) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.96 to aa:bb:cc:00:01:15 (device-0066) via lagg1 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.48 from aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.48 to aa:bb:cc:00:00:23 (device-0003) via 172.16.0.49 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.53 from aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.53 to aa:bb:cc:00:00:25 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.51 from aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.51 to aa:bb:cc:00:00:24 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.54 from aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.54 to aa:bb:cc:00:00:26 (device-0003) via 172.16.0.55 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.97 from aa:bb:cc:00:01:16 (device-0067) via 10.1.0.45"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.97 to aa:bb:cc:00:01:16 (device-0067) via 10.1.0.45 [65483]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.98 from aa:bb:cc:00:01:17 (device-0068) via lagg1"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.98 to aa:bb:cc:00:01:17 (device-0068) via lagg1 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.61 from aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.61 to aa:bb:cc:00:00:29 (device-0003) via 172.16.0.62 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:30 via 10.1.0.70: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.64 from aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.64 to aa:bb:cc:00:00:2b (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.65 from aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.65 to aa:bb:cc:00:00:2c (device-0003) via 172.16.0.40 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.99 from aa:bb:cc:00:01:18 (device-0069) via 10.1.1.100"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.99 to aa:bb:cc:00:01:18 (device-0069) via 10.1.1.100 [55932]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:01:19 via 10.1.1.101"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPOFFER on 10.1.1.102 to aa:bb:cc:00:01:19 via 10.1.1.101 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.102 (device-0015) from aa:bb:cc:00:01:19 via 10.1.1.101"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.102 to aa:bb:cc:00:01:19 via 10.1.1.101 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.103 from aa:bb:cc:00:01:1a (device-0001) via 172.16.0.57"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.103 to aa:bb:cc:00:01:1a (device-0001) via 172.16.0.57 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.103 from aa:bb:cc:00:01:1a (device-0001) via 172.16.0.58"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.103 to aa:bb:cc:00:01:1a (device-0001) via 172.16.0.58 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "bind update on 172.16.1.103 got ack from dhcp-server.example.net"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: bind update on 172.16.1.103 got ack from dhcp-server.example.net: xid mismatch."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.0.67 from aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.0.67 to aa:bb:cc:00:00:2e (device-0003) via 172.16.0.68 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.104 from aa:bb:cc:00:01:1b (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.104 to aa:bb:cc:00:01:1b (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.105 from aa:bb:cc:00:01:1c (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.105 to aa:bb:cc:00:01:1c (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 10.1.1.106 from aa:bb:cc:00:01:1d (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 10.1.1.106 to aa:bb:cc:00:01:1d (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<27>Apr 17 13:07:50 dhcpd[46177]: DHCPDISCOVER from aa:bb:cc:00:00:9f via 172.16.0.215: peer holds all free leases"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.107 from aa:bb:cc:00:01:1e (device-0070) via 172.16.0.57"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.107 to aa:bb:cc:00:01:1e (device-0070) via 172.16.0.57 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPREQUEST for 172.16.1.107 from aa:bb:cc:00:01:1e (device-0070) via 172.16.0.58"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:50.000Z",
+                "original": "<30>Apr 17 13:07:50 dhcpd[46177]: DHCPACK on 172.16.1.107 to aa:bb:cc:00:01:1e (device-0070) via 172.16.0.58 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 172.16.0.73 from aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 172.16.0.73 to aa:bb:cc:00:00:33 (device-0003) via 172.16.0.52 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 10.1.1.89 from aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 10.1.1.89 to aa:bb:cc:00:01:0e (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "service_name": "bind update on 172.16.1.107 got ack from dhcp-server.example.net"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: bind update on 172.16.1.107 got ack from dhcp-server.example.net: xid mismatch."
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 10.1.1.108 from aa:bb:cc:00:01:1f (device-0001) via 10.1.0.3"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 10.1.1.108 to aa:bb:cc:00:01:1f (device-0001) via 10.1.0.3 [28800]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 172.16.0.75 from aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 172.16.0.75 to aa:bb:cc:00:00:35 (device-0003) via 172.16.0.76 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPREQUEST for 172.16.0.77 from aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T13:07:51.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "created": "2026-04-17T13:07:51.000Z",
+                "original": "<30>Apr 17 13:07:51 dhcpd[46177]: DHCPACK on 172.16.0.77 to aa:bb:cc:00:00:36 (device-0003) via 172.16.0.24 [86400]"
+            },
+            "host": {
+                "name": "dhcpd[46177]:"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 30
+                }
+            }
+        }
+    ]
+}
diff --git a/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dns.log b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dns.log
new file mode 100644
index 00000000000..1121e13b74e
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dns.log
@@ -0,0 +1,2000 @@
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.42#56474: query: euc-common.online.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.42#56474 (euc-common.online.office.com.): answer: euc-common.online.office.com. IN A (10.100.0.1) -> NOERROR 258 CNAME euc-common-geo.wac.trafficmanager.net. 5 CNAME euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 35 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.165#59650: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.165#59650 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.64#50108: query: dns.msftncsi.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.64#50108 (dns.msftncsi.com.): answer: dns.msftncsi.com. IN A (10.100.0.1) -> NOERROR 8 A 198.51.100.215 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.74#62956: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.74#62956 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.105#56853: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.105#56853 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.168#63721: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.168#63721 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56127: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56127 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52551: query: z-p42-instagram.c10r.instagram.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53130: query: z-p42-instagram.c10r.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53130 (z-p42-instagram.c10r.instagram.com.): answer: z-p42-instagram.c10r.instagram.com. IN A (10.100.0.1) -> NOERROR 41 A 198.51.100.29 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53312: query: app-measurement.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53312 (app-measurement.com.): answer: app-measurement.com. IN A (10.100.0.1) -> NOERROR 177 A 198.51.100.253 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.95#63787: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.95#63787 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#60720: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#60720 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#59046: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#59046 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#56258: query: view.adjust.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52551 (z-p42-instagram.c10r.instagram.com.): answer: z-p42-instagram.c10r.instagram.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.26#50433: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.26#50433 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.101#51741: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.101#51741 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49021: query: pub-ent-frce-03-t.trouter.teams.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49021 (pub-ent-frce-03-t.trouter.teams.microsoft.com.): answer: pub-ent-frce-03-t.trouter.teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 678 CNAME partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#37741: query: pub-ent-frce-03-t.trouter.teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#37741 (pub-ent-frce-03-t.trouter.teams.microsoft.com.): answer: pub-ent-frce-03-t.trouter.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 679 CNAME partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net. 16 CNAME cosmic-francecentral-ns-e44da0a10bd2.trafficmanager.net. 7 CNAME partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#56258 (view.adjust.com.): answer: view.adjust.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.213#56340: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.213#56340 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.179#50604: query: connect.epicgames.dev IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.140#64819: query: rr1---sn-4g5lznsl.googlevideo.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.140#64819 (rr1---sn-4g5lznsl.googlevideo.com.): answer: rr1---sn-4g5lznsl.googlevideo.com. IN A (10.100.0.1) -> NOERROR 1658 CNAME rr1.sn-4g5lznsl.googlevideo.com. 1658 A 198.51.100.78 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.148#43768: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.148#43768 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600: query: connectivitycheck.gstatic.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600 (connectivitycheck.gstatic.com.): answer: connectivitycheck.gstatic.com. IN A (10.100.0.1) -> NOERROR 84 A 198.51.100.239 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600: query: connectivitycheck.gstatic.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600 (connectivitycheck.gstatic.com.): answer: connectivitycheck.gstatic.com. IN AAAA (10.100.0.1) -> NOERROR 84 AAAA fd12:3456:789a::1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#59895: query: teams.cloud.microsoft IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#59895 (teams.cloud.microsoft.): answer: teams.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 70 CNAME teams-cloud-microsoft.s-0005.dual-s-msedge.net. 18 CNAME s-0005.dual-s-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#64296: query: teams.cloud.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#64296 (teams.cloud.microsoft.): answer: teams.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 69 CNAME teams-cloud-microsoft.s-0005.dual-s-msedge.net. 17 CNAME s-0005.dual-s-msedge.net. 24 A 198.51.100.251 24 A 198.51.100.252 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#59666: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#59666 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#50350: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#50350 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.73#52430: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.73#52430 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397: query: host002.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.237#62629: query: host003.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.237#62629 (host003.example.net.): answer: host003.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#52405: query: mask.icloud.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#52405 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.79#58430: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.79#58430 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#60314: query: mask.icloud.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#60314 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56616: query: host006.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56616 (host006.example.net.): answer: host006.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397 (host002.example.net.): answer: host002.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#54708: query: 198.51.100.39.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#54708 (198.51.100.39.in-addr.arpa.): answer: 198.51.100.39.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host009.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.181#59494: query: res.public.onecdn.static.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.181#59494 (res.public.onecdn.static.microsoft.): answer: res.public.onecdn.static.microsoft. IN A (10.100.0.1) -> NOERROR 282 CNAME res-ocdi-public.trafficmanager.net. 87 CNAME res-1.public.onecdn.static.microsoft. 19 CNAME res-ocdi-stls-prod.edgesuite.net. 119 CNAME a434.dscd.akamai.net. 14 A 198.51.100.76 14 A 198.51.100.69 14 A 198.51.100.74 14 A 198.51.100.64 14 A 198.51.100.70 14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.122#49665: query: stream-production.avcdn.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.22#54200: query: host010.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.22#54200 (host010.example.net.): answer: host010.example.net. IN A (10.100.0.1) -> NOERROR 900 A 10.1.1.7 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066: query: host011.host011.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#52650: query: refinery2fa.afaspocket.nl IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#52650 (refinery2fa.afaspocket.nl.): answer: refinery2fa.afaspocket.nl. IN TYPE65 (10.100.0.1) -> NOERROR 2562 CNAME refinery2fa-afaspocket-nl.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#50566: query: refinery2fa.afaspocket.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#61113: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#61113 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#61204: query: graph.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#61204 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#64388: query: eu-teams.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#64388 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#52928: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#52928 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#52730: query: edge.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#52730 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.92#57947: query: host010.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.92#57947 (host010.example.net.): answer: host010.example.net. IN A (10.100.0.1) -> NOERROR 900 A 10.1.1.7 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#56409: query: edge.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#56409 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.4 5 A 198.51.100.3 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#56096: query: host012.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#33276: query: host012.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#33276 (host012.example.net.): answer: host012.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#56096 (host012.example.net.): answer: host012.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.196 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#56832: query: play.playr.biz IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#56832 (play.playr.biz.): answer: play.playr.biz. IN A (10.100.0.1) -> NOERROR 1517 A 198.51.100.21 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258: query: host013.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258: query: host013.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.179#50604 (connect.epicgames.dev.): answer: connect.epicgames.dev. IN A (10.100.0.1) -> NOERROR 241 CNAME weighted-epic-connect-manager-prod.epicgames.dev. 60 A 198.51.100.13 60 A 198.51.100.82 60 A 198.51.100.3 60 A 198.51.100.22 60 A 198.51.100.187 60 A 198.51.100.186 60 A 198.51.100.15 60 A 198.51.100.19 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#64939: query: play.playr.biz IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#64939 (play.playr.biz.): answer: play.playr.biz. IN A (10.100.0.1) -> NOERROR 1517 A 198.51.100.21 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50161: query: cdn.jsdelivr.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50161 (cdn.jsdelivr.net.): answer: cdn.jsdelivr.net. IN A (10.100.0.1) -> NOERROR 263 CNAME cdn.jsdelivr.net.cdn.cloudflare.net. 196 A 198.51.100.201 196 A 198.51.100.200 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#53178: query: cdn.jsdelivr.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#53178 (cdn.jsdelivr.net.): answer: cdn.jsdelivr.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#57252: query: host014.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#57252 (host014.example.net.): answer: host014.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.251 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#49550: query: host014.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#49550 (host014.example.net.): answer: host014.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.83#50183: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.83#50183 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.28#58990: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.28#58990 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.122#49665 (stream-production.avcdn.net.): answer: stream-production.avcdn.net. IN A (10.100.0.1) -> NOERROR 181 CNAME stream-production.avcdn.net.akamaized.net. 5470 CNAME a6143.dscd.akamai.net. 20 A 198.51.100.58 20 A 198.51.100.74 20 A 198.51.100.67 20 A 198.51.100.60 20 A 198.51.100.75 20 A 198.51.100.66 20 A 198.51.100.72 20 A 198.51.100.77 20 A 198.51.100.62 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.133#58488: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.133#58488 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.97#58799: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.97#58799 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.208#57653: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#63489: query: gew4-spclient.spotify.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#63489 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN A (10.100.0.1) -> NOERROR 138 CNAME edge-web-gew4.dual-gslb.spotify.com. 37 A 198.51.100.202 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.208#57653 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#51056: query: gew4-spclient.spotify.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#51056 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 139 CNAME edge-web-gew4.dual-gslb.spotify.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#43650: query: host016.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#43650 (host016.example.net.): answer: host016.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066 (host011.host011.example.net.): answer: host011.host011.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#51709: query: host016.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#51709 (host016.example.net.): answer: host016.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.252 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59119: query: host017.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.251#31139: query: 198.51.100.79.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59119 (host017.example.net.): answer: host017.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#58215: query: gateway.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#58215 (gateway.facebook.com.): answer: gateway.facebook.com. IN A (10.100.0.1) -> NOERROR 1121 CNAME dgw.c10r.facebook.com. 33 A 198.51.100.26 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.251#31139 (198.51.100.79.in-addr.arpa.): answer: 198.51.100.79.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host018.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#65408: query: edge-mqtt.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#65408 (edge-mqtt.facebook.com.): answer: edge-mqtt.facebook.com. IN A (10.100.0.1) -> NOERROR 44 CNAME mqtt.c10r.facebook.com. 1 A 198.51.100.25 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.78#59607: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.78#59607 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#58225: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#58225 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50093: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50093 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#49228: query: refinery2fa-afaspocket-nl.trafficmanager.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.72#62166: query: default._dante-ddm-d._udp IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.72#62166 (default._dante-ddm-d._udp.): answer: default._dante-ddm-d._udp. IN SRV (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692: query: host019.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703: query: host020.host020.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703 (host020.host020.example.net.): answer: host020.host020.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.252#42821: query: 198.51.100.79.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.252#42821 (198.51.100.79.in-addr.arpa.): answer: 198.51.100.79.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host018.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#56402: query: mask.apple-dns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#56402 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN A (10.100.0.1) -> NOERROR 3 A 198.51.100.41 3 A 198.51.100.47 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.42 3 A 198.51.100.43 3 A 198.51.100.46 3 A 198.51.100.45 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#63701: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#63701 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.71#65086: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.71#65086 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#49348: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#49348 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#53868: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#55797: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#53868 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#55797 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814: query: cctypekit.adobe.io IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692: query: host022.host022.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397: query: host024.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397 (host024.example.net.): answer: host024.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#50566 (refinery2fa.afaspocket.nl.): answer: refinery2fa.afaspocket.nl. IN A (10.100.0.1) -> NOERROR 2563 CNAME refinery2fa-afaspocket-nl.trafficmanager.net. 60 CNAME pocketapi2fa.azurewebsites.net. 30 CNAME waws-prod-am2-025a.sip.azurewebsites.windows.net. 2653 CNAME waws-prod-am2-025.westeurope.cloudapp.azure.com. 4 A 198.51.100.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814 (cctypekit.adobe.io.): answer: cctypekit.adobe.io. IN A (10.100.0.1) -> NOERROR 16 CNAME cctypekit.adobe.io.edgekey.net. 7530 CNAME e364363.dscg.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.68#58264: query: metadata.google.internal IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.68#58264 (metadata.google.internal.): answer: metadata.google.internal. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#50982: query: contacts.fe2.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#50982 (contacts.fe2.apple-dns.net.): answer: contacts.fe2.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#60326: query: contacts.fe2.apple-dns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#60326 (contacts.fe2.apple-dns.net.): answer: contacts.fe2.apple-dns.net. IN A (10.100.0.1) -> NOERROR 66 A 198.51.100.50 66 A 198.51.100.49 66 A 198.51.100.48 66 A 198.51.100.51 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#56323: query: 198.51.100.0.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#56323 (198.51.100.0.in-addr.arpa.): answer: 198.51.100.0.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 1800 PTR host025.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52617: query: 198.51.100.0.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066: query: host026.host026.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52617 (198.51.100.0.in-addr.arpa.): answer: 198.51.100.0.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 1800 PTR host025.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#52256: query: messaging.engagement.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#52256 (messaging.engagement.office.com.): answer: messaging.engagement.office.com. IN A (10.100.0.1) -> NOERROR 121 CNAME prod-campaignaggregator.omexexternallfb.office.net.akadns.net. 7 A 198.51.100.250 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#60503: query: lb._dns-sd._udp.198.51.100.47.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#52052: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#59573: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#60503 (lb._dns-sd._udp.198.51.100.47.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.47.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#52052 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#59573 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#56353: query: lb._dns-sd._udp.198.51.100.37.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#56353 (lb._dns-sd._udp.198.51.100.37.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.37.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#58516: query: lb._dns-sd._udp.198.51.100.180.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#58516 (lb._dns-sd._udp.198.51.100.180.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.180.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#62521: query: eu-office.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#62521 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#52556: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#52556 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066 (host026.host026.example.net.): answer: host026.host026.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#44471: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#44471 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#49228 (refinery2fa-afaspocket-nl.trafficmanager.net.): answer: refinery2fa-afaspocket-nl.trafficmanager.net. IN TYPE65 (10.100.0.1) -> NOERROR 60 CNAME pocketapi2fa.azurewebsites.net. 30 CNAME waws-prod-am2-025a.sip.azurewebsites.windows.net. 2653 CNAME waws-prod-am2-025.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045: query: host027.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045: query: host027.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045 (host027.example.net.): answer: host027.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.0 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045 (host027.example.net.): answer: host027.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.203#56268: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.82#64639: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.203#56268 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.82#64639 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.123#56811: query: v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.123#56811 (v20.events.data.microsoft.com.): answer: v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 13 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703: query: host028.host028.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.157#63185: query: auth.deepl.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.157#63185 (auth.deepl.com.): answer: auth.deepl.com. IN A (10.100.0.1) -> NOERROR 36 CNAME fal-lb.deepl.com. 13 A 198.51.100.110 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.179#61269: query: ssl.gstatic.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.147#64393: query: aws-proxy-gcp.api.sc-gw.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.147#64393 (aws-proxy-gcp.api.sc-gw.com.): answer: aws-proxy-gcp.api.sc-gw.com. IN A (10.100.0.1) -> NOERROR 42 A 198.51.100.204 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#51399: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#51399 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#49803: query: oauth.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#49803 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.59#63597: query: pneumandit.azure-devices.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#52241: query: oauth.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#52241 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. 57 CNAME oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 12 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#59549: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#59549 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#56472: query: mask.apple-dns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#56472 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN A (10.100.0.1) -> NOERROR 3 A 198.51.100.40 3 A 198.51.100.42 3 A 198.51.100.43 3 A 198.51.100.46 3 A 198.51.100.45 3 A 198.51.100.41 3 A 198.51.100.47 3 A 198.51.100.44 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.109#56557: query: cc-api-data.adobe.io IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.109#56557 (cc-api-data.adobe.io.): answer: cc-api-data.adobe.io. IN A (10.100.0.1) -> NOERROR 48 CNAME cc-api-data-ew1.adobe.io. 10 CNAME ethos.dunamis.ethos508-prod-va6.ethos.adobe.net. 56 CNAME dunamis-ethos508-prod-va6-856defacfb833db1.elb.us-east-1.amazonaws.com. 7 A 198.51.100.2 7 A 198.51.100.196 7 A 198.51.100.5 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#37155: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#37155 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703 (host028.host028.example.net.): answer: host028.host028.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.215#54418: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.215#54418 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.179#61269 (ssl.gstatic.com.): answer: ssl.gstatic.com. IN AAAA (10.100.0.1) -> NOERROR 116 AAAA fd12:3456:789a::1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.59#63597 (pneumandit.azure-devices.net.): answer: pneumandit.azure-devices.net. IN A (10.100.0.1) -> NOERROR 598 CNAME gateway-prod-gw-westeurope-5-g2.westeurope.cloudapp.azure.com. 8 A 198.51.100.0 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36016: query: host008.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36016 (host008.example.net.): answer: host008.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.164#56989: query: host029.host029.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.164#56989 (host029.host029.example.net.): answer: host029.host029.example.net. IN A (10.100.0.1) -> NOERROR 0 A 10.1.1.29 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397: query: host030.host030.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.99#64841: query: host022.host022.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.99#64841 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066: query: wpad.canbus.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#60425: query: dms.licdn.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#60425 (dms.licdn.com.): answer: dms.licdn.com. IN TYPE65 (10.100.0.1) -> NOERROR 2 CNAME dms.cm.licdn.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#51660: query: dms.licdn.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#51660 (dms.licdn.com.): answer: dms.licdn.com. IN A (10.100.0.1) -> NOERROR 2 CNAME dms.cm.licdn.com. 94 CNAME dms-fsly.sb.lnkdns.net. 96 CNAME fs-ak-cf.dms.sb.lnkdns.net. 292 CNAME linkedin.map.fastly.net. 40 A 198.51.100.10 40 A 198.51.100.15 40 A 198.51.100.12 40 A 198.51.100.7 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.76#52973: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.76#52973 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#38153: query: host031.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#38153 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#46520: query: host031.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#46520 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36261: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36261 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.37#60273: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.37#60273 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397 (host030.host030.example.net.): answer: host030.host030.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#61978: query: eas.outlook.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#61978 (eas.outlook.com.): answer: eas.outlook.com. IN TYPE65 (10.100.0.1) -> NOERROR 117 CNAME outlook.office365.com. 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#62797: query: eas.outlook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#62797 (eas.outlook.com.): answer: eas.outlook.com. IN A (10.100.0.1) -> NOERROR 117 CNAME outlook.office365.com. 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.36#55473: query: host032.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.36#55473 (host032.example.net.): answer: host032.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.6 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#63421: query: graph-fallback.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64289: query: graph.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64289 (graph.facebook.com.): answer: graph.facebook.com. IN A (10.100.0.1) -> NOERROR 266 CNAME star.c10r.facebook.com. 56 A 198.51.100.24 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485: query: host033.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485 (host033.example.net.): answer: host033.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.240 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485: query: host033.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485 (host033.example.net.): answer: host033.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.73#52850: query: host034.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.73#52850 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211: query: host035.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211: query: host035.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211 (host035.example.net.): answer: host035.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.241 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211 (host035.example.net.): answer: host035.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#55948: query: i-fallback.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#55948 (i-fallback.instagram.com.): answer: i-fallback.instagram.com. IN A (10.100.0.1) -> NOERROR 2008 CNAME star.fallback.c10r.instagram.com. 8 A 198.51.100.20 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#63421 (graph-fallback.facebook.com.): answer: graph-fallback.facebook.com. IN A (10.100.0.1) -> NOERROR 3182 CNAME star.fallback.c10r.facebook.com. 22 A 198.51.100.19 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#55066: query: dms.cm.licdn.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#55066 (dms.cm.licdn.com.): answer: dms.cm.licdn.com. IN TYPE65 (10.100.0.1) -> NOERROR 94 CNAME dms-fsly.sb.lnkdns.net. 96 CNAME fs-ak-cf.dms.sb.lnkdns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.163#61047: query: mail.ofcggz.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#35774: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#35774 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64710: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64710 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64711: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64711 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040: query: host037.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64712: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64712 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#54535: query: graph.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#54535 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#59928: query: graph.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#59928 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.141 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64713: query: host038.host038.host038.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64713 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60306: query: i.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60306 (i.instagram.com.): answer: i.instagram.com. IN A (10.100.0.1) -> NOERROR 1961 CNAME instagram.c10r.instagram.com. 36 A 198.51.100.27 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64714: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64714 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64715: query: host039.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64715 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#50146: query: res.public.onecdn.static.microsoft IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#50146 (res.public.onecdn.static.microsoft.): answer: res.public.onecdn.static.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 281 CNAME res-ocdi-public.trafficmanager.net. 86 CNAME res-1.public.onecdn.static.microsoft. 18 CNAME res-ocdi-stls-prod.edgesuite.net. 118 CNAME a434.dscd.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#55040: query: res.public.onecdn.static.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#55040 (res.public.onecdn.static.microsoft.): answer: res.public.onecdn.static.microsoft. IN A (10.100.0.1) -> NOERROR 282 CNAME res-ocdi-public.trafficmanager.net. 87 CNAME res-1.public.onecdn.static.microsoft. 19 CNAME res-ocdi-stls-prod.edgesuite.net. 119 CNAME a434.dscd.akamai.net. 14 A 198.51.100.74 14 A 198.51.100.64 14 A 198.51.100.70 14 A 198.51.100.63 14 A 198.51.100.67 14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64716: query: host039.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64716 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#53714: query: play.google.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#56170: query: play.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#53714 (play.google.com.): answer: play.google.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#56170 (play.google.com.): answer: play.google.com. IN A (10.100.0.1) -> NOERROR 296 A 198.51.100.253 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.116#52260: query: host040.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.116#52260 (host040.example.net.): answer: host040.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.233 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040: query: host037.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#56090: query: graph-fallback.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#56090 (graph-fallback.instagram.com.): answer: graph-fallback.instagram.com. IN A (10.100.0.1) -> NOERROR 949 CNAME star.fallback.c10r.instagram.com. 8 A 198.51.100.20 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60503: query: graph.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60503 (graph.instagram.com.): answer: graph.instagram.com. IN A (10.100.0.1) -> NOERROR 2153 CNAME instagram.c10r.instagram.com. 36 A 198.51.100.27 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.163#61047 (mail.ofcggz.nl.): answer: mail.ofcggz.nl. IN A (10.100.0.1) -> NOERROR 60 A 198.51.100.108 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066 (wpad.canbus.net.): answer: wpad.canbus.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.96#50532: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.96#50532 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.76#65177: query: outlook.office365.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.76#65177 (outlook.office365.com.): answer: outlook.office365.com. IN A (10.100.0.1) -> NOERROR 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.11 7 A 198.51.100.218 7 A 198.51.100.6 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#57935: query: obseu.seroundprince.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#60255: query: obseu.seroundprince.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61325: query: gsp85-ssl.ls.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61325 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#59888: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#59888 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#58317: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#58317 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.93#59023: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.93#59023 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49899: query: gsp85-ssl.ls.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49899 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN A (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. 27 A 198.51.100.23 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#53662: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#53662 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#33835: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#33835 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 12 A 198.51.100.190 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56970: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56970 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#35084: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#35084 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41572: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41572 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.190 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#50279: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#50279 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41251: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41251 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 12 A 198.51.100.190 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#38988: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#38988 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 12 A 198.51.100.190 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#36750: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#36750 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#60255 (obseu.seroundprince.com.): answer: obseu.seroundprince.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.106#62425: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.106#62425 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.19#55292: query: ctldl.windowsupdate.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.19#55292 (ctldl.windowsupdate.com.): answer: ctldl.windowsupdate.com. IN A (10.100.0.1) -> NOERROR 2379 CNAME ctldl.windowsupdate.com.delivery.microsoft.com. 2350 CNAME wu-b-net.trafficmanager.net. 247 CNAME bg.microsoft.map.fastly.net. 19 A 198.51.100.111 19 A 198.51.100.112 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56900: query: gsp85-ssl.ls2-apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56900 (gsp85-ssl.ls2-apple.com.akadns.net.): answer: gsp85-ssl.ls2-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.126#61396: query: outlook.office365.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.126#61396 (outlook.office365.com.): answer: outlook.office365.com. IN A (10.100.0.1) -> NOERROR 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.6 7 A 198.51.100.10 7 A 198.51.100.11 7 A 198.51.100.218 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52542: query: 198.51.100.0.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52542 (198.51.100.0.in-addr.arpa.): answer: 198.51.100.0.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 1800 PTR host025.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54963: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54963 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.92#51600: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.92#51600 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54964: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54964 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#49918: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#49918 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54965: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54965 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54966: query: host038.host038.host038.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54966 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54967: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54967 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54968: query: host039.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54968 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54969: query: host039.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54969 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#47598: query: 198.51.100.57.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#47598 (198.51.100.57.in-addr.arpa.): answer: 198.51.100.57.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host042.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.34#59472: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.34#59472 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53419: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53419 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.51#57571: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53420: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.51#57571 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53420 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53421: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53421 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53422: query: host038.host038.host038.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53422 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.175#52298: query: config.teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.175#52298 (config.teams.microsoft.com.): answer: config.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 3013 CNAME config.teams.trafficmanager.net. 47 CNAME dual-s-0005-teams.config.skype.com. 5719 CNAME config-teams.s-0005.dual-s-msedge.net. 92 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.251 25 A 198.51.100.252 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53423: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53423 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53424: query: host039.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53424 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53425: query: host039.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53425 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.135#63065: query: ctldl.windowsupdate.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.135#63065 (ctldl.windowsupdate.com.): answer: ctldl.windowsupdate.com. IN A (10.100.0.1) -> NOERROR 2379 CNAME ctldl.windowsupdate.com.delivery.microsoft.com. 2350 CNAME wu-b-net.trafficmanager.net. 247 CNAME bg.microsoft.map.fastly.net. 19 A 198.51.100.111 19 A 198.51.100.112 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#49392: query: cl3.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.23#49927: query: outlook.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.23#49927 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 7 A 198.51.100.10 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#57029: query: www.snsbank.nl IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#54387: query: www.snsbank.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.239#59161: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.239#59161 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#65237: query: cl3.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.76#50409: query: sn.webrootcloudav.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.76#50409 (sn.webrootcloudav.com.): answer: sn.webrootcloudav.com. IN A (10.100.0.1) -> NOERROR 40 A 198.51.100.20 40 A 198.51.100.225 40 A 198.51.100.21 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043: query: host037.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043: query: host037.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#49392 (cl3.apple.com.): answer: cl3.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.16#57345: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.16#57345 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#57029 (www.snsbank.nl.): answer: www.snsbank.nl. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940: query: host043.host043.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940 (host043.host043.example.net.): answer: host043.host043.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.216 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.35#65420: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.35#65420 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#57935 (obseu.seroundprince.com.): answer: obseu.seroundprince.com. IN A (10.100.0.1) -> NOERROR 60 CNAME master.eu-west-1.prod.engine-nlb.cheqzone.com. 17 A 198.51.100.198 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#59789: query: enterpriseregistration.windows.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#59789 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.213 291 A 198.51.100.150 291 A 198.51.100.215 291 A 198.51.100.152 291 A 198.51.100.151 291 A 198.51.100.214 291 A 198.51.100.211 291 A 40.12
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#60834: query: host044.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#60834 (host044.example.net.): answer: host044.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#39477: query: 198.51.100.81.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#39477 (198.51.100.81.in-addr.arpa.): answer: 198.51.100.81.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host045.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#7122: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#7122 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#65237 (cl3.apple.com.): answer: cl3.apple.com. IN A (10.100.0.1) -> NOERROR 508 CNAME cl3-cdn.origin-apple.com.akadns.net. 340 CNAME cl3.g.aaplimg.com. 15 A 198.51.100.57 15 A 198.51.100.52 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#65019: query: dns.opendns.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#65019 (dns.opendns.com.): answer: dns.opendns.com. IN A (10.100.0.1) -> NOERROR 2380 A 198.51.100.161 2380 A 198.51.100.160 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046: query: host037.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046: query: host037.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.64#64508: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.64#64508 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#54799: query: doh.umbrella.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#54799 (doh.umbrella.com.): answer: doh.umbrella.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.255 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56344: query: doh.umbrella.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56344 (doh.umbrella.com.): answer: doh.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#53419: query: host046.host046.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#63373: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#63373 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49553: query: doh.opendns.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49553 (doh.opendns.com.): answer: doh.opendns.com. IN A (10.100.0.1) -> NOERROR 114 A 198.51.100.254 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#53419 (host047.host047.example.net.): answer: host047.host047.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#51160: query: doh.opendns.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#51160 (doh.opendns.com.): answer: doh.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#57116: query: dns.umbrella.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#57116 (dns.umbrella.com.): answer: dns.umbrella.com. IN A (10.100.0.1) -> NOERROR 376 A 198.51.100.161 376 A 198.51.100.160 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#62393: query: dns.umbrella.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#62393 (dns.umbrella.com.): answer: dns.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63904: query: master.eu-west-1.prod.engine-nlb.cheqzone.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61835: query: dns.opendns.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61835 (dns.opendns.com.): answer: dns.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#64184: query: host048.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#64184 (host049.example.net.): answer: host049.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#51884: query: host200.internal.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#51884 (host200.internal.net.): answer: host200.internal.net. IN A (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#53265: query: turbo.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#53265 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#61721: query: www.googletagmanager.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#61721 (www.googletagmanager.com.): answer: www.googletagmanager.com. IN A (10.100.0.1) -> NOERROR 201 A 198.51.100.252 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.129#61233: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.129#61233 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#51746: query: turbo.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#51746 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.210 35 A 198.51.100.211 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#65484: query: www.googletagmanager.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#65484 (www.googletagmanager.com.): answer: www.googletagmanager.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.227#55240: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.227#55240 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.11#54043: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.11#54043 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63904 (master.eu-west-1.prod.engine-nlb.cheqzone.com.): answer: master.eu-west-1.prod.engine-nlb.cheqzone.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759: query: host050.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759: query: host050.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#54387 (www.snsbank.nl.): answer: www.snsbank.nl. IN A (10.100.0.1) -> NOERROR 20 A 198.51.100.126 20 A 198.51.100.129 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759 (host051.example.net.): answer: host051.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 172.16.2.65 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759 (host051.example.net.): answer: host051.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.82#49540: query: host034.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.82#49540 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#54808: query: cl3.g.aaplimg.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#54808 (cl3.g.aaplimg.com.): answer: cl3.g.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#50405: query: test-gateway.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#50405 (test-gateway.instagram.com.): answer: test-gateway.instagram.com. IN A (10.100.0.1) -> NOERROR 2033 CNAME dgw-ig.c10r.facebook.com. 8 A 198.51.100.28 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#65533: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#65533 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64242: query: gateway.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64242 (gateway.instagram.com.): answer: gateway.instagram.com. IN A (10.100.0.1) -> NOERROR 1212 CNAME dgw.c10r.facebook.com. 33 A 198.51.100.26 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#58930: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#58930 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#49738: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#49738 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.176#62054: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.176#62054 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.184#53303: query: ecs.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.184#53303 (ecs.office.com.): answer: ecs.office.com. IN A (10.100.0.1) -> NOERROR 78 CNAME ecs.office.trafficmanager.net. 7 CNAME dual-s-0005-office.config.skype.com. 8549 CNAME ecs-office.s-0005.dual-s-msedge.net. 40 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.252 25 A 198.51.100.251 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#26652: query: api-emea.flightproxy.teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.66#55371: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.66#55371 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.75#60078: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.75#60078 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#45361: query: host045.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#45361 (host045.example.net.): answer: host045.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.191 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.130#55301: query: v10.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.130#55301 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859: query: host031.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859: query: host031.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#50529: query: euc-word-edit.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#50529 (euc-word-edit.officeapps.live.com.): answer: euc-word-edit.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 3 CNAME euc-word-edit-geo.wac.trafficmanager.net. 14 CNAME euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 20 CNAME wac-0003.wac-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#52993: query: euc-word-edit.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#52993 (euc-word-edit.officeapps.live.com.): answer: euc-word-edit.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 3 CNAME euc-word-edit-geo.wac.trafficmanager.net. 14 CNAME euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 20 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#48503: query: www.tizen.org IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#48503 (www.tizen.org.): answer: www.tizen.org. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.97 12 A 198.51.100.96 12 A 198.51.100.98 12 A 198.51.100.99 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#15232: query: host052.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#15232 (host052.example.net.): answer: host052.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.2 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#46339: query: host052.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#46339 (host052.example.net.): answer: host052.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.101#58858: query: outlook.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.101#58858 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.11 7 A 198.51.100.10 7 A 198.51.100.6 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508: query: eu-v20.events.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#49921: query: host045.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58342: query: host053.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#49921 (host045.example.net.): answer: host045.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.191 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58342 (host053.example.net.): answer: host053.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#57464: query: host045.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#57464 (host045.example.net.): answer: host045.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.191 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#61891: query: host054.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#61891 (host054.example.net.): answer: host054.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#54295: query: host054.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#54295 (host054.example.net.): answer: host054.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.52#58462: query: turbo.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.52#58462 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#54389: query: edge.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#54389 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#49206: query: edge.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#49206 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.4 5 A 198.51.100.3 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#26652 (api-emea.flightproxy.teams.microsoft.com.): answer: api-emea.flightproxy.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 43017 CNAME flightproxy-emea-teams.trafficmanager.net. 19 CNAME ep-frce-02-prod-aks.flightproxy.teams.microsoft.com. 10202 CNAME epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net. 4 CNAME cosmic-francecentral-ns-9ecb4f6d7
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#52031: query: r4.res.office365.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#52031 (r4.res.office365.com.): answer: r4.res.office365.com. IN A (10.100.0.1) -> NOERROR 219 CNAME r4.res.office365.com.edgekey.net. 9 CNAME e40491.dscg.akamaiedge.net. 12 A 198.51.100.125 12 A 198.51.100.131 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.27#55201: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.27#55201 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.50#49235: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.50#49235 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#57679: query: eu-teams.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#57679 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.2#63480: query: 198.51.100.35.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.2#63480 (198.51.100.35.in-addr.arpa.): answer: 198.51.100.35.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host055.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.231#62453: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#50834: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#50834 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.231#62453 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#55408: query: web.whatsapp.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#55408 (web.whatsapp.com.): answer: web.whatsapp.com. IN TYPE65 (10.100.0.1) -> NOERROR 3419 CNAME mmx-ds.cdn.whatsapp.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#56602: query: web.whatsapp.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#56602 (web.whatsapp.com.): answer: web.whatsapp.com. IN A (10.100.0.1) -> NOERROR 3419 CNAME mmx-ds.cdn.whatsapp.net. 2 A 198.51.100.32 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.91#54359: query: nexusrules.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.91#54359 (nexusrules.officeapps.live.com.): answer: nexusrules.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 2687 CNAME prod.nexusrules.live.com.akadns.net. 23 A 198.51.100.249 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173: query: host013.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173: query: host013.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.32#52762: query: enterpriseregistration.windows.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.32#52762 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.152 291 A 198.51.100.151 291 A 198.51.100.214 291 A 198.51.100.211 291 A 198.51.100.212 291 A 198.51.100.213 291 A 198.51.100.150 291 A 40.12
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#62034: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#62034 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#40005: query: 198.51.100.209.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#40005 (198.51.100.209.in-addr.arpa.): answer: 198.51.100.209.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host056.host056.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255: query: host005.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31651: query: go-eu.trouter.teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31651 (go-eu.trouter.teams.microsoft.com.): answer: go-eu.trouter.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 1421 CNAME trouter-atm-pub-ent-emea.trafficmanager.net. 7 CNAME pub-ent-euwe-07-t.trouter.teams.microsoft.com. 2072 CNAME partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net. 9 CNAME cosmic-westeurope-ns-b80c4716b71c.traffic
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#57103: query: eu.recent.svc.cloud.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#57103 (eu.recent.svc.cloud.microsoft.): answer: eu.recent.svc.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 337 CNAME eudb.ocws1.live.com.akadns.net. 49 CNAME recent-prod-weightedww.trafficmanager.net. 30 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.241 9 A 198.51.100.237 9 A 198.51.100.239 9 A 198.51.100.240 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.1#48515: query: 198.51.100.35.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.1#48515 (198.51.100.35.in-addr.arpa.): answer: 198.51.100.35.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host055.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#54545: query: js.monitor.azure.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#54545 (js.monitor.azure.com.): answer: js.monitor.azure.com. IN A (10.100.0.1) -> NOERROR 21 CNAME aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net. 44 CNAME mr-z01.tm-azurefd.net. 40 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#56147: query: js.monitor.azure.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#56147 (js.monitor.azure.com.): answer: js.monitor.azure.com. IN TYPE65 (10.100.0.1) -> NOERROR 52 CNAME aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.63#56741: query: geover.prod.do.dsp.mp.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.63#56741 (geover.prod.do.dsp.mp.microsoft.com.): answer: geover.prod.do.dsp.mp.microsoft.com. IN A (10.100.0.1) -> NOERROR 3565 CNAME geover.prod.do.dsp.mp.microsoft.com.edgekey.net. 5363 CNAME e10370.d.akamaiedge.net. 20 A 198.51.100.182 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.7#51716: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.7#51716 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#53510: query: api-emea.flightproxy.teams.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443: query: eu-v20.events.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#49738: query: edge.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#49738 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#53488: query: host019.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#53488 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#62995: query: edge.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#62995 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.3 5 A 198.51.100.4 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58032: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58032 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.41#56120: query: v10.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.41#56120 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.27#58099: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.27#58099 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#55627: query: host022.host022.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#55627 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#53510 (api-emea.flightproxy.teams.microsoft.com.): answer: api-emea.flightproxy.teams.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 43017 CNAME flightproxy-emea-teams.trafficmanager.net. 19 CNAME ep-frce-02-prod-aks.flightproxy.teams.microsoft.com. 10202 CNAME epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net. 4 CNAME cosmic-francecentral-ns-9ecb4f
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.214#62206: query: testorg.service-now.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.214#62206 (testorg.service-now.com.): answer: testorg.service-now.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.67#52009: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.67#52009 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858: query: host057.host057.host057.host057.host057.host057.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731: query: host058.host058.host058.host058.host058.host058.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071: query: host057.host057.host057.host057.host057.host057.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858 (_kerberos._tcp.Centrum-Locatie._sites.dc._msdcs.EXAMPLE.NET.): answer: _kerberos._tcp.Centrum-Locatie._sites.dc._msdcs.EXAMPLE.NET. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 88 host034.example.net. 600 SRV 0 100 88 host059.example.net. 600 SRV 0 100 88 host005.example.net. 600 SRV 0 100 88 host060.example.net. 600 SRV 0 100 88 host061.example.net. 600 SRV 0 100 88 dc5.example.ne
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731 (host062.host062.host062.host062.host062.host062.example.net.): answer: host062.host062.host062.host062.host062.host062.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host063.example.net. 600 SRV 0 100 389 host059.example.net. 600 SRV 0 100 389 host060.example.net. 600 SRV 0 100 389 host005.example.net. 600 SRV 0 100 389 host061.example.net. 600 SRV 0 100 389 host034.example.net.
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071 (host064.host064.host064.host064.host064.host064.example.net.): answer: host064.host064.host064.host064.host064.host064.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 88 host060.example.net. 600 SRV 0 100 88 host005.example.net. 600 SRV 0 100 88 host063.example.net. 600 SRV 0 100 88 host034.example.net. 600 SRV 0 100 88 host059.example.net. 600 SRV 0 100 88 dc4.example.ne
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#3264: query: go-eu.trouter.teams.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#3264 (go-eu.trouter.teams.microsoft.com.): answer: go-eu.trouter.teams.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 1421 CNAME trouter-atm-pub-ent-emea.trafficmanager.net. 7 CNAME pub-ent-euwe-07-t.trouter.teams.microsoft.com. 2072 CNAME partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net. 9 CNAME cosmic-westeurope-ns-b80c4716b71c.traff
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#58484: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#58484 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#55140: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#55140 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#60586: query: wise-m.public.cdn.office.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#60586 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 172 CNAME res-prod.trafficmanager.net. 103 CNAME res-1.cdn.office.net. 96 CNAME res-stls-prod.edgesuite.net. 221 CNAME a726.dscd.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.25#58988: query: cmp.nu.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.25#58988 (cmp.nu.nl.): answer: cmp.nu.nl. IN A (10.100.0.1) -> NXDOMAIN 211 CNAME cdn-1294-2.privacy-mgmt.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#57141: query: wise-m.public.cdn.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#57141 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN A (10.100.0.1) -> NOERROR 171 CNAME res-prod.trafficmanager.net. 102 CNAME res-1.cdn.office.net. 95 CNAME res-stls-prod.edgesuite.net. 220 CNAME a726.dscd.akamai.net. 9 A 198.51.100.68 9 A 198.51.100.65 9 A 198.51.100.75 9 A 198.51.100.71 9 A 198.51.100.73 9 A 198.51.100.70 9 A 198.51.100.67 9 A 198.51.100.59
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.53#55065: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.53#55065 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.93#57169: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.93#57169 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#56240: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#50850: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#56240 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#50850 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31030: query: emea.cc.skype.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#53010: query: www.zorgdoc.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#53010 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.205 23 A 198.51.100.206 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#55250: query: www.zorgdoc.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#55250 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.206 23 A 198.51.100.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#53231: query: f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#51520: query: www.zorgdoc.nl IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.115#54066: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.115#54066 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442: query: host033.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442: query: host033.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442 (host033.example.net.): answer: host033.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.240 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442 (host033.example.net.): answer: host033.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#65503: query: www.zorgdoc.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#65503 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.206 23 A 198.51.100.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#22708: query: emea.cc.skype.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#22708 (emea.cc.skype.com.): answer: emea.cc.skype.com. IN AAAA (10.100.0.1) -> NOERROR 70345 CNAME cc-emea-skype.trafficmanager.net. 1 CNAME cc-euno-03-prod-aks.cc.skype.com. 775 CNAME callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net. 2 CNAME cosmic-northeurope-ns-896c43260b21.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.209#53657: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.209#53657 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998: query: host035.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998 (host035.example.net.): answer: host035.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.241 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998: query: host035.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998 (host035.example.net.): answer: host035.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.206#49233: query: mdav.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.206#49233 (mdav.eu.endpoint.security.microsoft.com.): answer: mdav.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 106 CNAME md-prod-simcon-atm-epp-eu.trafficmanager.net. 269 CNAME md-prod-simcon-ip0.westeurope.cloudapp.azure.com. 1 A 198.51.100.157 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858: query: host005.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071: query: host034.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31030 (emea.cc.skype.com.): answer: emea.cc.skype.com. IN A (10.100.0.1) -> NOERROR 70345 CNAME cc-emea-skype.trafficmanager.net. 1 CNAME cc-euno-03-prod-aks.cc.skype.com. 775 CNAME callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net. 2 CNAME cosmic-northeurope-ns-896c43260b21.trafficmanager.net. 10 A 198.51.100.254 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.168#53265: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.168#53265 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#58615: query: host029.host029.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#58615 (host029.host029.example.net.): answer: host029.host029.example.net. IN A (10.100.0.1) -> NOERROR 0 A 10.1.1.29 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#51520 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.63#61608: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.63#61608 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#53231 (f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com.): answer: f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com. IN A (10.100.0.1) -> NOERROR 10 A 198.51.100.8 10 A 198.51.100.217 10 A 198.51.100.219 10 A 198.51.100.221 10 A 198.51.100.220 10 A 198.51.100.9 10 A 198.51.100.222 10 A 198.51.100.7 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58539: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58080: query: host046.host046.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58539 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58080 (host047.host047.example.net.): answer: host047.host047.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.166#59261: query: ecs.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.166#59261 (ecs.office.com.): answer: ecs.office.com. IN A (10.100.0.1) -> NOERROR 78 CNAME ecs.office.trafficmanager.net. 7 CNAME dual-s-0005-office.config.skype.com. 8549 CNAME ecs-office.s-0005.dual-s-msedge.net. 40 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.252 25 A 198.51.100.251 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58046: query: host048.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58046 (host049.example.net.): answer: host049.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.153#51183: query: host065.host065.host065.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.153#51183 (host065.host065.host065.example.net.): answer: host065.host065.host065.example.net. IN SRV (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58556: query: host200.internal.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58556 (host200.internal.net.): answer: host200.internal.net. IN A (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.109#47787: query: v2.api.relayrobotics.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.109#47787 (v2.api.relayrobotics.com.): answer: v2.api.relayrobotics.com. IN A (10.100.0.1) -> NOERROR 85 CNAME ghs.googlehosted.com. 38 A 198.51.100.237 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.102#57705: query: 198.51.100.17.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.102#57705 (198.51.100.17.in-addr.arpa.): answer: 198.51.100.17.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 600 PTR host066.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#47132: query: host067.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#51746: query: host068.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#18582: query: host067.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#33065: query: host068.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#47132 (host067.example.net.): answer: host067.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#51746 (host068.example.net.): answer: host068.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#33065 (host068.example.net.): answer: host068.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.248 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#18582 (host067.example.net.): answer: host067.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.247 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#61653: query: substrate.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#61653 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.11 7 A 198.51.100.10 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#59583: query: graph.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#59583 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#58527: query: graph.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#58527 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#53202: query: substrate.office.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#53202 (substrate.office.com.): answer: substrate.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#60631: query: ams-efz.ms-acdc.office.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#60631 (ams-efz.ms-acdc.office.com.): answer: ams-efz.ms-acdc.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#55919: query: iphone-ld.v.aaplimg.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#55919 (iphone-ld.v.aaplimg.com.): answer: iphone-ld.v.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.81#57911: query: outlook.office365.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.81#57911 (outlook.office365.com.): answer: outlook.office365.com. IN A (10.100.0.1) -> NOERROR 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.10 7 A 198.51.100.11 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#32109: query: www.acm.org IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#32109 (www.acm.org.): answer: www.acm.org. IN A (10.100.0.1) -> NOERROR 0 A 198.51.100.202 0 A 198.51.100.203 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.248#59653: query: 198.51.100.38.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.248#59653 (198.51.100.38.in-addr.arpa.): answer: 198.51.100.38.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host069.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.129#65483: query: officeclient.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.129#65483 (officeclient.microsoft.com.): answer: officeclient.microsoft.com. IN A (10.100.0.1) -> NOERROR 858 CNAME config.officeapps.live.com. 903 CNAME prod.configsvc1.live.com.akadns.net. 11 CNAME europe.configsvc1.live.com.akadns.net. 249 CNAME config-prod-weightedww.trafficmanager.net. 54 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.239 9 A 198.51.100.240 9 A 52
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.247#16032: query: 198.51.100.38.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.247#16032 (198.51.100.38.in-addr.arpa.): answer: 198.51.100.38.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host069.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#64021: query: exo.nel.measure.office.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298: query: host013.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298: query: host013.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#64021 (exo.nel.measure.office.net.): answer: exo.nel.measure.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 26 CNAME nel.measure.office.net.edgesuite.net. 5050 CNAME a1894.dscb.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#55172: query: exo.nel.measure.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#55172 (exo.nel.measure.office.net.): answer: exo.nel.measure.office.net. IN A (10.100.0.1) -> NOERROR 26 CNAME nel.measure.office.net.edgesuite.net. 5050 CNAME a1894.dscb.akamai.net. 15 A 198.51.100.114 15 A 198.51.100.116 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.51#52406: query: testorg.service-now.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.51#52406 (testorg.service-now.com.): answer: testorg.service-now.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.12#41022: query: 192.0.2.3.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.12#41022 (192.0.2.3.in-addr.arpa.): answer: 192.0.2.3.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 142247 PTR localhost. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#14516: query: www.gtv-fleks.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#10011: query: graph.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#10011 (graph.facebook.com.): answer: graph.facebook.com. IN A (10.100.0.1) -> NOERROR 266 CNAME star.c10r.facebook.com. 56 A 198.51.100.24 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.80#51202: query: studio-playerapi.competence.biz IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#49472: query: b._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#49472 (b._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: b._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60209: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#61189: query: e6858.dsce9.akamaiedge.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#61189 (e6858.dsce9.akamaiedge.net.): answer: e6858.dsce9.akamaiedge.net. IN A (10.100.0.1) -> NOERROR 13 A 198.51.100.181 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#52790: query: www.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#52790 (www.apple.com.): answer: www.apple.com. IN A (10.100.0.1) -> NOERROR 222 CNAME www-apple-com.v.aaplimg.com. 119 CNAME www.apple.com.edgekey.net. 157 CNAME e6858.dsce9.akamaiedge.net. 13 A 198.51.100.181 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65351: query: host070.host070.host070.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60209 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64543: query: api.apple-cloudkit.fe2.apple-dns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64543 (api.apple-cloudkit.fe2.apple-dns.net.): answer: api.apple-cloudkit.fe2.apple-dns.net. IN A (10.100.0.1) -> NOERROR 87 A 198.51.100.50 87 A 198.51.100.49 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65351 (host070.host070.host070.example.net.): answer: host070.host070.host070.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55941: query: atc.spotify.map.fastly.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55941 (atc.spotify.map.fastly.net.): answer: atc.spotify.map.fastly.net. IN A (10.100.0.1) -> NOERROR 0 A 198.51.100.7 0 A 198.51.100.10 0 A 198.51.100.12 0 A 198.51.100.15 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60701: query: host071.host071.host071.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60701 (host071.host071.host071.example.net.): answer: host071.host071.host071.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65313: query: us-sandbox-courier-4.push-apple.com.akadns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65313 (us-sandbox-courier-4.push-apple.com.akadns.net.): answer: us-sandbox-courier-4.push-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.29 23 A 198.51.100.25 23 A 198.51.100.26 23 A 198.51.100.28 23 A 198.51.100.24 23 A 198.51.100.27 23 A 198.51.100.31 23 A 198.51.100.30 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64776: query: e6858.dsce9.akamaiedge.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64776 (e6858.dsce9.akamaiedge.net.): answer: e6858.dsce9.akamaiedge.net. IN A (10.100.0.1) -> NOERROR 13 A 198.51.100.181 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64431: query: db._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64431 (db._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: db._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#58042: query: 1.courier-push-apple.com.akadns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#58042 (1.courier-push-apple.com.akadns.net.): answer: 1.courier-push-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 4 CNAME eu-nw-courier-4.push-apple.com.akadns.net. 22 A 198.51.100.33 22 A 198.51.100.38 22 A 198.51.100.37 22 A 198.51.100.34 22 A 198.51.100.36 22 A 198.51.100.35 22 A 198.51.100.32 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55795: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#59833: query: gew4-dealer.g2.spotify.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#59833 (gew4-dealer.g2.spotify.com.): answer: gew4-dealer.g2.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 64 CNAME gew4-dealer-ssl.spotify.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.80#51202 (studio-playerapi.competence.biz.): answer: studio-playerapi.competence.biz. IN A (10.100.0.1) -> NOERROR 10 CNAME app-studio-playerapi-prod.azurewebsites.net. 10 CNAME waws-prod-am2-719.sip.azurewebsites.windows.net. 10 CNAME waws-prod-am2-719-c1d4.westeurope.cloudapp.azure.com. 2 A 198.51.100.136 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55795 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#53056: query: gew4-dealer.g2.spotify.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#53056 (gew4-dealer.g2.spotify.com.): answer: gew4-dealer.g2.spotify.com. IN A (10.100.0.1) -> NOERROR 63 CNAME gew4-dealer-ssl.spotify.com. 26 A 198.51.100.203 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63912: query: dns.weixin.qq.com.cn IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63912 (dns.weixin.qq.com.cn.): answer: dns.weixin.qq.com.cn. IN A (10.100.0.1) -> NOERROR 106 A 198.51.100.224 106 A 198.51.100.223 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.142#64168: query: europe.cp.wd.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.142#64168 (europe.cp.wd.microsoft.com.): answer: europe.cp.wd.microsoft.com. IN A (10.100.0.1) -> NOERROR 982 CNAME wd-prod-cp-eu.trafficmanager.net. 208 CNAME wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com. 5 A 198.51.100.227 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#60866: query: dgw.c10r.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#60866 (dgw.c10r.facebook.com.): answer: dgw.c10r.facebook.com. IN A (10.100.0.1) -> NOERROR 32 A 198.51.100.26 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56846: query: mqtt.c10r.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56846 (mqtt.c10r.facebook.com.): answer: mqtt.c10r.facebook.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.25 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#1878: query: eur.loki.delve.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#1878 (eur.loki.delve.office.com.): answer: eur.loki.delve.office.com. IN A (10.100.0.1) -> NOERROR 74 CNAME loki-atm-prod-eur.trafficmanager.net. 13 CNAME eur.fxgateway.svc.cloud.microsoft. 76 CNAME mira-cmn.tm-4.office.com. 0 A 198.51.100.166 0 A 198.51.100.174 0 A 198.51.100.172 0 A 198.51.100.171 0 A 198.51.100.167 0 A 198.51.100.168 0 A 198.51.100.176 0 A 198.51.100.177 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#56058: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#56058 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#22877: query: host072.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#59946: query: eu-mobile.events.data.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#22877 (host072.example.net.): answer: host072.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#59946 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host002.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host002.example.net.): answer: host002.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#41595: query: host072.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#41595 (host072.example.net.): answer: host072.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.254 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#63717: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#63717 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#45026: query: host073.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#45026 (host073.example.net.): answer: host073.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52316: query: star.c10r.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52316 (star.c10r.facebook.com.): answer: star.c10r.facebook.com. IN A (10.100.0.1) -> NOERROR 55 A 198.51.100.24 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.56#56153: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.56#56153 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#36524: query: host074.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#62532: query: ocsp2.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#62532 (ocsp2.apple.com.): answer: ocsp2.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 313 CNAME ocsp2.g.aaplimg.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#36524 (host074.example.net.): answer: host074.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#50127: query: ocsp2.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#50127 (ocsp2.apple.com.): answer: ocsp2.apple.com. IN A (10.100.0.1) -> NOERROR 313 CNAME ocsp2.g.aaplimg.com. 13 A 198.51.100.57 13 A 198.51.100.52 13 A 198.51.100.56 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33233: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33233 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43494: query: host075.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43494 (host075.example.net.): answer: host075.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33029: query: host008.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33029 (host008.example.net.): answer: host008.example.net. IN A (10.100.0.1) -> NOERROR 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#53960: query: host076.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.137#61593: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.137#61593 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#53960 (host076.example.net.): answer: host076.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#52213: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#52213 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#57423: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#44765: query: host077.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#57423 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#37392: query: host077.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#44765 (host077.example.net.): answer: host077.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.253 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#65048: query: app-analytics-services.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#65048 (app-analytics-services.com.): answer: app-analytics-services.com. IN A (10.100.0.1) -> NOERROR 201 A 198.51.100.109 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#58370: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#58370 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#37392 (host077.example.net.): answer: host077.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57750: query: host078.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57750 (host078.example.net.): answer: host078.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#38698: query: host079.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#38698 (host079.example.net.): answer: host079.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59608: query: host080.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59608 (host080.example.net.): answer: host080.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.95#61842: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.95#61842 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57340: query: host081.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57340 (host081.example.net.): answer: host081.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#62845: query: host082.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#62845 (host082.example.net.): answer: host082.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host011.host011.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host011.host011.example.net.): answer: host011.host011.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#50368: query: wise-m.public.cdn.office.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#50368 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 172 CNAME res-prod.trafficmanager.net. 103 CNAME res-1.cdn.office.net. 96 CNAME res-stls-prod.edgesuite.net. 221 CNAME a726.dscd.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60819: query: wise-m.public.cdn.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60819 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN A (10.100.0.1) -> NOERROR 171 CNAME res-prod.trafficmanager.net. 102 CNAME res-1.cdn.office.net. 95 CNAME res-stls-prod.edgesuite.net. 220 CNAME a726.dscd.akamai.net. 9 A 198.51.100.75 9 A 198.51.100.71 9 A 198.51.100.73 9 A 198.51.100.70 9 A 198.51.100.67 9 A 198.51.100.61 9 A 198.51.100.63 9 A 198.51.100.68
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48250: query: host083.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48250 (host083.example.net.): answer: host083.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48825: query: host084.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60330: query: euc-excel.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#51758: query: euc-excel.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60330 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 49 CNAME euc-excel-geo.wac.trafficmanager.net. 55 CNAME euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 44 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.235 17 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#51758 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 50 CNAME euc-excel-geo.wac.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48825 (host084.example.net.): answer: host084.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#50987: query: gew4-dealer-ssl.spotify.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#50987 (gew4-dealer-ssl.spotify.com.): answer: gew4-dealer-ssl.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56510: query: host085.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56510 (host085.example.net.): answer: host085.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#48620: query: 198.51.100.23.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#48620 (198.51.100.23.in-addr.arpa.): answer: 198.51.100.23.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host077.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#40677: query: host086.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#40677 (host086.example.net.): answer: host086.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#52044: query: host087.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#52044 (host087.example.net.): answer: host087.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56682: query: host088.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#53596: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#45525: query: host087.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56682 (host088.example.net.): answer: host088.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#53596 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#45525 (host087.example.net.): answer: host087.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.255 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#56221: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#64124: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#64124 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#56221 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59798: query: host089.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59798 (host089.example.net.): answer: host089.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41456: query: host090.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41456 (host090.example.net.): answer: host090.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41941: query: host091.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41941 (host091.example.net.): answer: host091.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58281: query: host092.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58281 (host092.example.net.): answer: host092.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#53919: query: host087.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#35807: query: host087.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#53919 (host087.example.net.): answer: host087.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.255 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#35807 (host087.example.net.): answer: host087.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#59556: query: ocsp2.g.aaplimg.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#59556 (ocsp2.g.aaplimg.com.): answer: ocsp2.g.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#33174: query: host093.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#33174 (host093.example.net.): answer: host093.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host020.host020.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host020.host020.example.net.): answer: host020.host020.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#14516 (www.gtv-fleks.nl.): answer: www.gtv-fleks.nl. IN A (10.100.0.1) -> NOERROR 60 CNAME gtv-fleks.nl. 60 A 198.51.100.56 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.43#60529: query: ctldl.windowsupdate.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.43#60529 (ctldl.windowsupdate.com.): answer: ctldl.windowsupdate.com. IN A (10.100.0.1) -> NOERROR 2379 CNAME ctldl.windowsupdate.com.delivery.microsoft.com. 2350 CNAME wu-b-net.trafficmanager.net. 247 CNAME bg.microsoft.map.fastly.net. 19 A 198.51.100.112 19 A 198.51.100.111 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47471: query: host094.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47471 (host094.example.net.): answer: host094.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#34785: query: host095.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#34785 (host095.example.net.): answer: host095.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#23764: query: 198.51.100.36.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#23764 (198.51.100.36.in-addr.arpa.): answer: 198.51.100.36.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host072.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#55384: query: ipagave.azurewebsites.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#55384 (ipagave.azurewebsites.net.): answer: ipagave.azurewebsites.net. IN TYPE65 (10.100.0.1) -> NOERROR 1017 CNAME waws-prod-dm1-013.vip.azurewebsites.windows.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#57943: query: ipagave.azurewebsites.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#57943 (ipagave.azurewebsites.net.): answer: ipagave.azurewebsites.net. IN A (10.100.0.1) -> NOERROR 1017 CNAME waws-prod-dm1-013.vip.azurewebsites.windows.net. 21 CNAME waws-prod-dm1-013.centralus.cloudapp.azure.com. 1 A 198.51.100.216 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#54097: query: host096.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53931: query: addin.insights.static.microsoft IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53931 (addin.insights.static.microsoft.): answer: addin.insights.static.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 157 CNAME agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.111#60952: query: dns.msftncsi.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.111#60952 (dns.msftncsi.com.): answer: dns.msftncsi.com. IN A (10.100.0.1) -> NOERROR 8 A 198.51.100.215 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#54097 (host096.example.net.): answer: host096.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#37600: query: host097.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#49224: query: addin.insights.static.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#49224 (addin.insights.static.microsoft.): answer: addin.insights.static.microsoft. IN A (10.100.0.1) -> NOERROR 157 CNAME agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net. 25 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.210 35 A 198.51.100.211 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#37600 (host097.example.net.): answer: host097.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47390: query: host098.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47390 (host098.example.net.): answer: host098.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#55646: query: host099.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#55646 (host099.example.net.): answer: host099.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#35632: query: host100.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#35632 (host100.example.net.): answer: host100.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#52494: query: host101.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#52494 (host101.example.net.): answer: host101.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43828: query: host102.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#36019: query: 198.51.100.36.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43828 (host102.example.net.): answer: host102.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#36019 (198.51.100.36.in-addr.arpa.): answer: 198.51.100.36.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host072.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host024.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host024.example.net.): answer: host024.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.69#53821: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.69#53821 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#61850: query: a1854.casalemedia.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#17520: query: 198.51.100.23.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.98#52482: query: europe.cp.wd.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.98#52482 (europe.cp.wd.microsoft.com.): answer: europe.cp.wd.microsoft.com. IN A (10.100.0.1) -> NOERROR 982 CNAME wd-prod-cp-eu.trafficmanager.net. 208 CNAME wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com. 5 A 198.51.100.227 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#17520 (198.51.100.23.in-addr.arpa.): answer: 198.51.100.23.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host077.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#59616: query: a1854.casalemedia.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.25#57594: query: host103.host103.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.25#57594 (host103.host103.example.net.): answer: host103.host103.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.26 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host026.host026.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host026.host026.example.net.): answer: host026.host026.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.70#57664: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#61850 (a1854.casalemedia.com.): answer: a1854.casalemedia.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.70#57664 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56130: query: star.fallback.c10r.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56130 (star.fallback.c10r.instagram.com.): answer: star.fallback.c10r.instagram.com. IN A (10.100.0.1) -> NOERROR 8 A 198.51.100.20 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#59616 (a1854.casalemedia.com.): answer: a1854.casalemedia.com. IN A (10.100.0.1) -> NOERROR 2554 A 198.51.100.53 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#27352: query: www.google.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#27352 (www.google.com.): answer: www.google.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.119#56834: query: 27-courier.push.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.119#56834 (27-courier.push.apple.com.): answer: 27-courier.push.apple.com. IN A (10.100.0.1) -> NOERROR 6530 CNAME 27.courier-push-apple.com.akadns.net. 51 CNAME eu-nw-courier-4.push-apple.com.akadns.net. 22 A 198.51.100.35 22 A 198.51.100.38 22 A 198.51.100.32 22 A 198.51.100.37 22 A 198.51.100.36 22 A 198.51.100.33 22 A 198.51.100.34 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.108#63521: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.108#63521 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.113#52557: query: settings-win.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.113#52557 (settings-win.data.microsoft.com.): answer: settings-win.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 454 CNAME atm-settingsfe-prod-geo2.trafficmanager.net. 1 CNAME settings-prod-weu-1.westeurope.cloudapp.azure.com. 2 A 198.51.100.231 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#22173: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#22173 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568: query: cdns.eu1.gigya.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386: query: www.tui.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386 (www.tui.nl.): answer: www.tui.nl. IN A (10.100.0.1) -> NOERROR 49 CNAME www.tui.nl-v1.edgekey.net. 645 CNAME e116189.dsca.akamaiedge.net. 0 A 198.51.100.130 0 A 198.51.100.127 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#62730: query: z-p42-chat-e2ee-ig.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#62730 (z-p42-chat-e2ee-ig.facebook.com.): answer: z-p42-chat-e2ee-ig.facebook.com. IN A (10.100.0.1) -> NOERROR 2994 CNAME chat-e2ee-ig-p42.c10r.facebook.com. 36 A 198.51.100.30 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#54985: query: benelph.de IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#65356: query: eu-office.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#54084: query: mask.icloud.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#65356 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#54084 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#64991: query: mask.icloud.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#64991 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#51416: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#51416 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49816: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49816 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.55#60563: query: pages.plasticsurgery.org IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63448: query: benelph.de IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host028.host028.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host028.host028.example.net.): answer: host028.host028.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.5#61023: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.5#61023 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#54985 (benelph.de.): answer: benelph.de. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49196: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49196 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56229: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56229 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63331: query: brwsrfrm.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51967: query: clients.config.office.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51967 (clients.config.office.net.): answer: clients.config.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 205 CNAME cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft. 14 CNAME atm.common.mira.tm.svc.cloud.microsoft. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#64591: query: clients.config.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#64591 (clients.config.office.net.): answer: clients.config.office.net. IN A (10.100.0.1) -> NOERROR 205 CNAME cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft. 14 CNAME atm.common.mira.tm.svc.cloud.microsoft. 3 A 198.51.100.175 3 A 198.51.100.169 3 A 198.51.100.170 3 A 198.51.100.173 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63448 (benelph.de.): answer: benelph.de. IN A (10.100.0.1) -> NOERROR 264 A 198.51.100.232 264 A 198.51.100.222 264 A 198.51.100.226 264 A 198.51.100.229 264 A 198.51.100.234 264 A 198.51.100.225 264 A 198.51.100.235 264 A 198.51.100.223 264 A 198.51.100.217 264 A 198.51.100.219 264 A 198.51.100.221 264 A 198.51.100.218 264 A 198.51.100.224 264 A 198.51.100.227 264 A 198.51.100.216 264 A
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55028: query: edge.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52867: query: edge.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55028 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52867 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.3 5 A 198.51.100.4 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53035: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#59390: query: teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#59390 (teams.microsoft.com.): answer: teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. 29 CNAME tmc-g2.tm-4.office.com. 22 CNAME teams-office-com.s-0005.dual-s-msedge.net. 101 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.252 25 A 198.51.100.251 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53035 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#51074: query: teams.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#51074 (teams.microsoft.com.): answer: teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host030.host030.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host030.host030.example.net.): answer: host030.host030.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#60016: query: bag.itunes.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#60016 (bag.itunes.apple.com.): answer: bag.itunes.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 3189 CNAME bag-cdn.itunes-apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#49940: query: configuration.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52786: query: configuration.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52786 (configuration.apple.com.): answer: configuration.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 38606 CNAME configuration.apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.38#62332: query: api2.cursor.sh IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#55554: query: brwsrfrm.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#50952: query: bag.itunes.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#50952 (bag.itunes.apple.com.): answer: bag.itunes.apple.com. IN A (10.100.0.1) -> NOERROR 3190 CNAME bag-cdn.itunes-apple.com.akadns.net. 518 CNAME bag-cdn-lb.itunes-apple.com.akadns.net. 134 CNAME h3.apis.apple.map.fastly.net. 30 A 198.51.100.11 30 A 198.51.100.13 30 A 198.51.100.16 30 A 198.51.100.8 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.60#53347: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#61139: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.60#53347 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#61139 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.235#43542: query: hbase-rs.node6.isieca.eca.local IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.235#43542 (hbase-rs.node6.isieca.eca.local.): answer: hbase-rs.node6.isieca.eca.local. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63331 (brwsrfrm.com.): answer: brwsrfrm.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372: query: enterpriseregistration.windows.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.212 291 A 198.51.100.213 291 A 198.51.100.150 291 A 198.51.100.215 291 A 198.51.100.152 291 A 198.51.100.151 291 A 198.51.100.214 291 A 40.126.
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52932: query: testorg.sharepoint.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52932 (testorg.sharepoint.com.): answer: testorg.sharepoint.com. IN TYPE65 (10.100.0.1) -> NOERROR 3484 CNAME 1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com. 22 CNAME 189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com. 3 CNAME 189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net. 260 CNAME 189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.sp
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.12#63585: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.12#63585 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58829: query: testorg.sharepoint.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58829 (testorg.sharepoint.com.): answer: testorg.sharepoint.com. IN A (10.100.0.1) -> NOERROR 3484 CNAME 1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com. 22 CNAME 189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com. 3 CNAME 189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net. 260 CNAME 189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-mse
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: wpad.canbus.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (wpad.canbus.net.): answer: wpad.canbus.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#55554 (brwsrfrm.com.): answer: brwsrfrm.com. IN A (10.100.0.1) -> NOERROR 104 A 198.51.100.218 104 A 198.51.100.224 104 A 198.51.100.225 104 A 198.51.100.222 104 A 198.51.100.234 104 A 198.51.100.216 104 A 198.51.100.217 104 A 198.51.100.233 104 A 198.51.100.231 104 A 198.51.100.235 104 A 198.51.100.227 104 A 198.51.100.230 104 A 198.51.100.229 104 A 198.51.100.228 104 A 198.51.100.220 10
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689: query: host037.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689: query: host037.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.176#50469: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.176#50469 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: wpad.acds.canon-europe.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#60085: query: host019.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#60085 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#57628: query: host019.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#57628 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.62#1026: query: host104.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.62#1026 (host105.example.net.): answer: host105.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 172.16.2.61 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568 (cdns.eu1.gigya.com.): answer: cdns.eu1.gigya.com. IN A (10.100.0.1) -> NOERROR 46 CNAME d18uol17ln7pq5.cloudfront.net. 2 A 198.51.100.101 2 A 198.51.100.103 2 A 198.51.100.102 2 A 198.51.100.100 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#53142: query: configuration.apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#53142 (configuration.apple.com.akadns.net.): answer: configuration.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 13 CNAME configuration-row-lb.apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.124#63372: query: officeclient.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.124#63372 (officeclient.microsoft.com.): answer: officeclient.microsoft.com. IN A (10.100.0.1) -> NOERROR 858 CNAME config.officeapps.live.com. 903 CNAME prod.configsvc1.live.com.akadns.net. 11 CNAME europe.configsvc1.live.com.akadns.net. 249 CNAME config-prod-weightedww.trafficmanager.net. 54 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.237 9 A 198.51.100.239 9 A 52.11
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52968: query: bag-cdn.itunes-apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52968 (bag-cdn.itunes-apple.com.akadns.net.): answer: bag-cdn.itunes-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 517 CNAME bag-cdn-lb.itunes-apple.com.akadns.net. 133 CNAME h3.apis.apple.map.fastly.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#51330: query: host022.host022.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#51330 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#58919: query: mask.icloud.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#58919 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.33#54504: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.33#54504 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#50582: query: mask.icloud.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#50582 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.47 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.40#56746: query: msedge.b.tlu.dl.delivery.mp.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.40#56746 (msedge.b.tlu.dl.delivery.mp.microsoft.com.): answer: msedge.b.tlu.dl.delivery.mp.microsoft.com. IN A (10.100.0.1) -> NOERROR 167 CNAME star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com. 5168 CNAME cdp-f-tlu-net.trafficmanager.net. 51 CNAME wildcard.f.tlu.dl.delivery.mp.microsoft.com.edgesuite.net. 3735 CNAME a1847.dscd.akamai.net. 2 A 198.51.100.69 2 A 96.1
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55168: query: edge.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55168 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58590: query: edge.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58590 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.3 5 A 198.51.100.4 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50468: query: instagram.c10r.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50468 (instagram.c10r.instagram.com.): answer: instagram.c10r.instagram.com. IN A (10.100.0.1) -> NOERROR 36 A 198.51.100.27 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (wpad.acds.canon-europe.com.): answer: wpad.acds.canon-europe.com. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#49449: query: captive-cidr.origin-apple.com.akadns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#49449 (captive-cidr.origin-apple.com.akadns.net.): answer: captive-cidr.origin-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 281 CNAME captive-geo.origin-apple.com.akadns.net. 52 CNAME captive.g.aaplimg.com. 5 A 198.51.100.52 5 A 198.51.100.57 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#64568: query: captive-cidr.origin-apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.159#56013: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.159#56013 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.75#64780: query: ps.pndsn.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.75#64780 (ps.pndsn.com.): answer: ps.pndsn.com. IN A (10.100.0.1) -> NOERROR 275 A 198.51.100.199 275 A 198.51.100.200 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.79#61599: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.79#61599 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.80#59144: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.80#59144 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.15#53168: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.15#53168 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#49940 (configuration.apple.com.): answer: configuration.apple.com. IN A (10.100.0.1) -> NOERROR 38606 CNAME configuration.apple.com.akadns.net. 13 CNAME configuration-row-lb.apple.com.akadns.net. 30 CNAME configuration.v.aaplimg.com. 15 A 198.51.100.57 15 A 198.51.100.52 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#64568 (captive-cidr.origin-apple.com.akadns.net.): answer: captive-cidr.origin-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 281 CNAME captive-geo.origin-apple.com.akadns.net. 52 CNAME captive.g.aaplimg.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#54829: query: host022.host022.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#54829 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61703: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61703 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#54005: query: configuration-row-lb.apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#60230: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#60230 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.156#62018: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.156#62018 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#50177: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#50177 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.83#59693: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.83#59693 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.38#62332 (api2.cursor.sh.): answer: api2.cursor.sh. IN A (10.100.0.1) -> NOERROR 300 CNAME api2geo.cursor.sh. 300 CNAME api2direct.cursor.sh. 12 A 198.51.100.195 12 A 198.51.100.14 12 A 198.51.100.186 12 A 198.51.100.4 12 A 198.51.100.185 12 A 198.51.100.83 12 A 198.51.100.178 12 A 198.51.100.185 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host106.host106.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48380: query: 198.51.100.236.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48380 (198.51.100.236.in-addr.arpa.): answer: 198.51.100.236.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host107.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.131#63891: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.131#63891 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#64788: query: forum.viva.nl IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#63931: query: forum.viva.nl IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50878: query: test-gateway.instagram.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50878 (test-gateway.instagram.com.): answer: test-gateway.instagram.com. IN TYPE65 (10.100.0.1) -> NOERROR 2033 CNAME dgw-ig.c10r.facebook.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53836: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53836 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#59915: query: test-gateway.instagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#59915 (test-gateway.instagram.com.): answer: test-gateway.instagram.com. IN A (10.100.0.1) -> NOERROR 2033 CNAME dgw-ig.c10r.facebook.com. 8 A 198.51.100.28 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.62#51018: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.62#51018 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#60559: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#60559 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.243#63757: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.243#63757 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#54005 (configuration-row-lb.apple.com.akadns.net.): answer: configuration-row-lb.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 30 CNAME configuration.v.aaplimg.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692: query: host037.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692: query: host037.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#51314: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#51314 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#64788 (forum.viva.nl.): answer: forum.viva.nl. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#65429: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#65429 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#59089: query: host008.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#59089 (host008.example.net.): answer: host008.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58764: query: euc-powerpoint.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58764 (euc-powerpoint.officeapps.live.com.): answer: euc-powerpoint.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 2 CNAME euc-powerpoint-geo.wac.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host106.host106.example.net.): answer: host106.host106.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58331: query: euc-powerpoint.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58331 (euc-powerpoint.officeapps.live.com.): answer: euc-powerpoint.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 2 CNAME euc-powerpoint-geo.wac.trafficmanager.net. 18 CNAME euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 27 CNAME euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net. 24 CNAME wac-0003.wac-dc-msedge.net
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#44847: query: www.python.org IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#38176: query: host012.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#58554: query: host012.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#38176 (host012.example.net.): answer: host012.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#58554 (host012.example.net.): answer: host012.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.196 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#50782: query: ingestion.smartocto.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#50782 (ingestion.smartocto.com.): answer: ingestion.smartocto.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#56844: query: browser.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#56844 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#63224: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#63224 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#51861: query: ingestion.smartocto.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#62435: query: browser.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#62435 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55500: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55500 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#46710: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#46710 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55501: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55501 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55502: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#53436: query: mail.yahoo.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#53436 (mail.yahoo.com.): answer: mail.yahoo.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME edge.gycpi.b.yahoodns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55502 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#59981: query: mail.yahoo.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#59981 (mail.yahoo.com.): answer: mail.yahoo.com. IN A (10.100.0.1) -> NOERROR 48 CNAME edge.gycpi.b.yahoodns.net. 17 A 198.51.100.55 17 A 198.51.100.54 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308: query: host108.host108.host108.host108.host108.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308 (host109.host109.host109.host109.host109.example.net.): answer: host109.host109.host109.host109.host109.example.net. IN SRV (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55503: query: host038.host038.host038.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55503 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55504: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#44847 (www.python.org.): answer: www.python.org. IN A (10.100.0.1) -> NOERROR 260276 CNAME dualstack.python.map.fastly.net. 60 A 198.51.100.14 60 A 198.51.100.6 60 A 198.51.100.9 60 A 198.51.100.5 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55504 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55505: query: host039.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55505 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55506: query: host039.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55506 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308: query: host110.host110.host110.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#51861 (ingestion.smartocto.com.): answer: ingestion.smartocto.com. IN A (10.100.0.1) -> NOERROR 57 A 198.51.100.18 57 A 198.51.100.16 57 A 198.51.100.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308 (host110.host110.host110.example.net.): answer: host110.host110.host110.example.net. IN SRV (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#50204: query: graph.whatsapp.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#50204 (graph.whatsapp.com.): answer: graph.whatsapp.com. IN TYPE65 (10.100.0.1) -> NOERROR 780 CNAME whatsapp.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#53023: query: graph.whatsapp.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.125#56738: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#53023 (graph.whatsapp.com.): answer: graph.whatsapp.com. IN A (10.100.0.1) -> NOERROR 780 CNAME whatsapp.com. 22 A 198.51.100.32 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.125#56738 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.155#54459: query: gateway.fe2.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#50345: query: api.flightproxy.teams.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.155#54459 (gateway.fe2.apple-dns.net.): answer: gateway.fe2.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#50345 (api.flightproxy.teams.microsoft.com.): answer: api.flightproxy.teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 546 CNAME api.flightproxy.teams.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#60063: query: api.flightproxy.teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#60063 (api.flightproxy.teams.microsoft.com.): answer: api.flightproxy.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 545 CNAME api.flightproxy.teams.trafficmanager.net. 6 CNAME ep-euwe-02-prod-aks.flightproxy.teams.microsoft.com. 1468 CNAME epx.euwe-02.ic3-calling-enterpriseproxy.westeurope-prod.cosmic.office.net. 3 CNAME cosmic-westeurope-ns-018d0b8c6998.trafficmanager.net
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52413: query: dgw-ig.c10r.facebook.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52413 (dgw-ig.c10r.facebook.com.): answer: dgw-ig.c10r.facebook.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#33649: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#33649 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#45654: query: host111.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#33638: query: host111.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#33638 (host111.example.net.): answer: host111.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#45654 (host111.example.net.): answer: host111.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.246 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.58#58734: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.58#58734 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#54182: query: whatsapp.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#54182 (whatsapp.com.): answer: whatsapp.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56996: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56996 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#56638: query: euc-common.online.office.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#56638 (euc-common.online.office.com.): answer: euc-common.online.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 258 CNAME euc-common-geo.wac.trafficmanager.net. 5 CNAME euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 35 CNAME wac-0003.wac-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49889: query: gsp85-ssl.ls.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49889 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN A (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. 27 A 198.51.100.23 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50672: query: euc-common.online.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50672 (euc-common.online.office.com.): answer: euc-common.online.office.com. IN A (10.100.0.1) -> NOERROR 258 CNAME euc-common-geo.wac.trafficmanager.net. 5 CNAME euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 35 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64577: query: mask.icloud.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64577 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57496: query: gsp85-ssl.ls.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57496 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50637: query: mask.icloud.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50637 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64717: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#56863: query: hbase-rs.node4.isieca.eca.local IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#56863 (hbase-rs.node4.isieca.eca.local.): answer: hbase-rs.node4.isieca.eca.local. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64717 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#44647: query: hbase-rs.node6.isieca.eca.local IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#44647 (hbase-rs.node6.isieca.eca.local.): answer: hbase-rs.node6.isieca.eca.local. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.246#47119: query: 172.16.2.74.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.246#47119 (172.16.2.74.in-addr.arpa.): answer: 172.16.2.74.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host112.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64718: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64718 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64719: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64719 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64720: query: host038.host038.host038.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64720 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64721: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64721 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64722: query: host039.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64722 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.44#59426: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.44#59426 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.183#50218: query: oneocsp.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.183#50218 (oneocsp.microsoft.com.): answer: oneocsp.microsoft.com. IN A (10.100.0.1) -> NOERROR 2284 CNAME oneocsp-microsoft-com.a-0003.a-msedge.net. 165 CNAME a-0003.a-msedge.net. 136 A 198.51.100.159 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63010: query: mediacloud.xiaohongshu.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55581: query: host113.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#53076: query: oauth.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#53076 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55581 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64723: query: host039.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64723 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50047: query: oauth.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50047 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. 57 CNAME oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 12 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.226#64052: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#59527: query: host113.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.226#64052 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#59527 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.39#57805: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.39#57805 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324: query: host114.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324 (host114.example.net.): answer: host114.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.199 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324: query: host114.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324 (host114.example.net.): answer: host114.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#38653: query: host115.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#38653 (HIxComeZmm-p.EXAMPLE.NET.): answer: HIxComeZmm-p.EXAMPLE.NET. IN AAAA (10.100.0.1) -> NOERROR 28800 CNAME host116.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55708: query: host113.example.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55708 (host113.example.net.): answer: host113.example.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#65129: query: host113.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#65129 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#38406: query: host117.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#38406 (host117.example.net.): answer: host117.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#47531: query: host117.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#47531 (host117.example.net.): answer: host117.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.245 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138: query: host013.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138: query: host013.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61661: query: sstats.adobe.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61661 (sstats.adobe.com.): answer: sstats.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 470 CNAME adobe.com.ssl.d1.sc.omtrdc.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62336: query: sstats.adobe.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62336 (sstats.adobe.com.): answer: sstats.adobe.com. IN A (10.100.0.1) -> NOERROR 470 CNAME adobe.com.ssl.d1.sc.omtrdc.net. 374 A 198.51.100.45 374 A 198.51.100.40 374 A 198.51.100.44 374 A 198.51.100.42 374 A 198.51.100.43 374 A 198.51.100.41 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54970: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54970 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54971: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54971 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54972: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#50988: query: acrobat.adobe.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#50988 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54972 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59257: query: acrobat.adobe.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54973: query: host038.host038.host038.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54973 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51802: query: www.bing.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51802 (www.bing.com.): answer: www.bing.com. IN TYPE65 (10.100.0.1) -> NOERROR 1256 CNAME www-www.bing.com.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54974: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58772: query: www.bing.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58772 (www.bing.com.): answer: www.bing.com. IN A (10.100.0.1) -> NOERROR 1256 CNAME www-www.bing.com.trafficmanager.net. 22 CNAME www.bing.com.edgekey.net. 9122 CNAME e86303.dscx.akamaiedge.net. 3 A 198.51.100.120 3 A 198.51.100.119 3 A 198.51.100.117 3 A 198.51.100.121 3 A 198.51.100.118 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54974 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55257: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55257 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54975: query: host039.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54975 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.245#10038: query: 172.16.2.74.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.245#10038 (172.16.2.74.in-addr.arpa.): answer: 172.16.2.74.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host112.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59984: query: graph.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59984 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62382: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62382 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54976: query: host039.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54976 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56397: query: graph.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56397 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 122 A 198.51.100.210 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811: query: host031.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811: query: host031.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#60667: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#60667 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#54966: query: gsp85-ssl.ls2-apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731: query: host058.host058.host058.host058.host058.host058.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#54966 (gsp85-ssl.ls2-apple.com.akadns.net.): answer: gsp85-ssl.ls2-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731 (host062.host062.host062.host062.host062.host062.example.net.): answer: host062.host062.host062.host062.host062.host062.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host034.example.net. 600 SRV 0 100 389 host005.example.net. 600 SRV 0 100 389 host061.example.net. 600 SRV 0 100 389 host059.example.net. 600 SRV 0 100 389 host060.example.net. 600 SRV 0 100 389 host063.example.net.
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#50318: query: euc-collabrtc.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#50318 (euc-collabrtc.officeapps.live.com.): answer: euc-collabrtc.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#65416: query: euc-collabrtc.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#65416 (euc-collabrtc.officeapps.live.com.): answer: euc-collabrtc.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 258 CNAME euc-collabrtc-geo.rtc.trafficmanager.net. 31 CNAME euc-collabrtc.rtc.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 4 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.236 18 A 198.51.100.235 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63010 (mediacloud.xiaohongshu.com.): answer: mediacloud.xiaohongshu.com. IN A (10.100.0.1) -> NOERROR 488 CNAME mediacloud.xiaohongshu.com.edgesuite.net. 17503 CNAME a1674.dscb.akamai.net. 20 A 198.51.100.123 20 A 198.51.100.115 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56684: query: host118.host118.example.net IN TXT  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56684 (host118.host118.example.net.): answer: host118.host118.example.net. IN TXT (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#51473: query: host119.host119.example.net IN TXT  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#51473 (host119.host119.example.net.): answer: host119.host119.example.net. IN TXT (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#54165: query: host120.host120.example.net IN TXT  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#54165 (host120.host120.example.net.): answer: host120.host120.example.net. IN TXT (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#62819: query: host121.host121.example.net IN TXT  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#62819 (host121.host121.example.net.): answer: host121.host121.example.net. IN TXT (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#51755: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#51755 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#64640: query: browser.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#64640 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#52485: query: host122.host122.example.net IN TXT  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#52485 (host122.host122.example.net.): answer: host122.host122.example.net. IN TXT (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63494: query: euc-excel-telemetry.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63494 (euc-excel-telemetry.officeapps.live.com.): answer: euc-excel-telemetry.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 236 CNAME euc-excel-telemetry.wac.trafficmanager.net. 240 CNAME pgteu4-excel-telemetry-vip.officeapps.live.com. 222 A 198.51.100.232 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63929: query: euc-excel-telemetry.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63929 (euc-excel-telemetry.officeapps.live.com.): answer: euc-excel-telemetry.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 236 CNAME euc-excel-telemetry.wac.trafficmanager.net. 240 CNAME pgteu4-excel-telemetry-vip.officeapps.live.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59257 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.59#55236: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.59#55236 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.20#52539: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.20#52539 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#63085: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#63085 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#51750: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#56037: query: lb._dns-sd._udp.198.51.100.184.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59909: query: lb._dns-sd._udp.192.0.2.1.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#51750 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#56037 (lb._dns-sd._udp.198.51.100.184.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.184.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59909 (lb._dns-sd._udp.192.0.2.1.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.1.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#49417: query: lb._dns-sd._udp.198.51.100.18.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#49417 (lb._dns-sd._udp.198.51.100.18.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.18.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.53#51166: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.53#51166 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.67#50697: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.67#50697 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781: query: host123.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781: query: host123.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781 (host123.example.net.): answer: host123.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.97 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781 (host123.example.net.): answer: host123.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984: query: host124.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542: query: host125.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984: query: host124.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542: query: host125.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984 (host124.example.net.): answer: host124.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.238 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984 (host124.example.net.): answer: host124.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542 (host125.example.net.): answer: host125.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.70 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542 (host125.example.net.): answer: host125.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266: query: host126.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266: query: host126.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266 (host126.example.net.): answer: host126.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.103 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266 (host126.example.net.): answer: host126.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#51387: query: www.linkedin.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#51387 (www.linkedin.com.): answer: www.linkedin.com. IN TYPE65 (10.100.0.1) -> NOERROR 111 CNAME cf-afd.www.linkedin.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261: query: host127.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261: query: host127.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261 (host127.example.net.): answer: host127.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.17 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261 (host127.example.net.): answer: host127.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#56951: query: media.licdn.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#56951 (media.licdn.com.): answer: media.licdn.com. IN TYPE65 (10.100.0.1) -> NOERROR 227 CNAME media.cm.licdn.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#60501: query: media.licdn.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#60501 (media.licdn.com.): answer: media.licdn.com. IN A (10.100.0.1) -> NOERROR 227 CNAME media.cm.licdn.com. 83 CNAME media-fsly.sb.lnkdns.net. 1563 CNAME fs-ak-cf.media.sb.lnkdns.net. 110 CNAME linkedin.map.fastly.net. 40 A 198.51.100.7 40 A 198.51.100.12 40 A 198.51.100.15 40 A 198.51.100.10 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#58534: query: graph-fallback.facebook.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#58534 (graph-fallback.facebook.com.): answer: graph-fallback.facebook.com. IN A (10.100.0.1) -> NOERROR 3182 CNAME star.fallback.c10r.facebook.com. 22 A 198.51.100.19 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#53509: query: www.linkedin.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049: query: host128.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049: query: host128.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#53509 (www.linkedin.com.): answer: www.linkedin.com. IN A (10.100.0.1) -> NOERROR 111 CNAME cf-afd.www.linkedin.com. 48 CNAME www.linkedin.com.cdn.cloudflare.net. 107 A 198.51.100.204 107 A 172.16.2.77 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049 (host128.example.net.): answer: host128.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.49 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049 (host128.example.net.): answer: host128.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817: query: host129.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817: query: host129.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817 (host129.example.net.): answer: host129.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.72 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817 (host129.example.net.): answer: host129.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201: query: host130.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201: query: host130.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201 (host130.example.net.): answer: host130.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.1.136 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201 (host130.example.net.): answer: host130.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196: query: host131.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196: query: host131.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196 (host131.example.net.): answer: host131.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.1.139 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196 (host131.example.net.): answer: host131.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272: query: host132.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272 (host132.example.net.): answer: host132.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.224 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52227: query: acrobat.adobe.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52227 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656: query: host133.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656: query: host133.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656 (host133.example.net.): answer: host133.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.1.103 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656 (host133.example.net.): answer: host133.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788: query: host134.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788: query: host134.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788 (host134.example.net.): answer: host134.example.net. IN A (10.100.0.1) -> NOERROR 3600 A 10.1.0.57 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788 (host134.example.net.): answer: host134.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681: query: host135.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681: query: host135.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681 (host135.example.net.): answer: host135.example.net. IN A (10.100.0.1) -> NOERROR 600 A 10.1.0.98 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681 (host135.example.net.): answer: host135.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272: query: host132.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272 (host132.example.net.): answer: host132.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#55918: query: www.youtube.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#55918 (www.youtube.com.): answer: www.youtube.com. IN TYPE65 (10.100.0.1) -> NOERROR 256 CNAME youtube-ui.l.google.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#63506: query: www.youtube.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#63506 (www.youtube.com.): answer: www.youtube.com. IN A (10.100.0.1) -> NOERROR 256 CNAME youtube-ui.l.google.com. 92 A 198.51.100.251 92 A 198.51.100.109 92 A 198.51.100.253 92 A 198.51.100.238 92 A 172.16.2.68 92 A 198.51.100.241 92 A 172.16.2.70 92 A 172.16.2.71 92 A 198.51.100.164 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418: query: host136.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418: query: host136.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418 (host136.example.net.): answer: host136.example.net. IN A (10.100.0.1) -> NOERROR 3600 A 10.1.1.111 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418 (host136.example.net.): answer: host136.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.108#58804: query: graph.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.108#58804 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50880: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50880 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#60581: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#60581 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#51917: query: trk.pinterest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#51917 (trk.pinterest.com.): answer: trk.pinterest.com. IN A (10.100.0.1) -> NOERROR 6 CNAME vpc-trk-10d1b1f8032805fc.elb.us-east-1.amazonaws.com. 11 A 198.51.100.228 11 A 198.51.100.12 11 A 198.51.100.179 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.59#58408: query: host034.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.59#58408 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.91#59678: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.91#59678 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.178#50620: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.178#50620 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.102#57874: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.102#57874 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#55587: query: euc-onenote.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#55587 (euc-onenote.officeapps.live.com.): answer: euc-onenote.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 23 CNAME euc-onenote-geo.wac.trafficmanager.net. 2 CNAME euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 33 CNAME wac-0003.wac-msedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#56945: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#56945 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#60908: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#60908 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.60#54515: query: euro03.azure-devices.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50308: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50308 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#62302: query: euc-onenote.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#62302 (euc-onenote.officeapps.live.com.): answer: euc-onenote.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 22 CNAME euc-onenote-geo.wac.trafficmanager.net. 1 CNAME euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 32 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.235 17 A 198.51.100.236 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#44483: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#44483 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.58#62896: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.58#62896 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#62119: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#62119 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#52258: query: md-prod-simcon-ip128.westeurope.cloudapp.azure.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#52258 (md-prod-simcon-ip128.westeurope.cloudapp.azure.com.): answer: md-prod-simcon-ip128.westeurope.cloudapp.azure.com. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.170#51218: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.170#51218 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.149#61768: query: outlook.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.149#61768 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 7 A 198.51.100.10 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#51248: query: host005.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#51248 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.14#50334: query: europe.cp.wd.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.14#50334 (europe.cp.wd.microsoft.com.): answer: europe.cp.wd.microsoft.com. IN A (10.100.0.1) -> NOERROR 982 CNAME wd-prod-cp-eu.trafficmanager.net. 208 CNAME wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com. 5 A 198.51.100.227 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.174#51527: query: msedge.api.cdp.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.174#51527 (msedge.api.cdp.microsoft.com.): answer: msedge.api.cdp.microsoft.com. IN A (10.100.0.1) -> NOERROR 180 CNAME api.cdp.microsoft.com. 3078 CNAME glb.api.prod.dcat.dsp.trafficmanager.net. 43 A 198.51.100.51 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.60#54515 (EURO03.azure-devices.net.): answer: EURO03.azure-devices.net. IN A (10.100.0.1) -> NOERROR 95 CNAME gateway-prod-gw-uksouth-3-tls10-g2.uksouth.cloudapp.azure.com. 10 A 198.51.100.229 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51568: query: acrobat.adobe.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51568 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.128 20 A 198.51.100.124 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56743: query: acrobat.adobe.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56743 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56053: query: lcdn-locator.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56053 (lcdn-locator.apple.com.): answer: lcdn-locator.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 27514 CNAME lcdn-locator.apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665: query: host137.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665: query: host137.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665 (host137.example.net.): answer: host137.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.210 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665 (host137.example.net.): answer: host137.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64579: query: dns.umbrella.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64579 (dns.umbrella.com.): answer: dns.umbrella.com. IN A (10.100.0.1) -> NOERROR 376 A 198.51.100.161 376 A 198.51.100.160 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.45#51416: query: host059.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.190#63182: query: host138.host138.example.net IN A  (10.1.0.189)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.45#51416 (host059.example.net.): answer: host059.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.227 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57694: query: dns.opendns.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57694 (dns.opendns.com.): answer: dns.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50294: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50294 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#50260: query: lcdn-locator.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#50260 (lcdn-locator.apple.com.): answer: lcdn-locator.apple.com. IN A (10.100.0.1) -> NOERROR 27514 CNAME lcdn-locator.apple.com.akadns.net. 15 CNAME lcdn-locator-usuqo.apple.com.akadns.net. 38 A 198.51.100.22 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#61200: query: dns.opendns.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#61200 (dns.opendns.com.): answer: dns.opendns.com. IN A (10.100.0.1) -> NOERROR 2380 A 198.51.100.160 2380 A 198.51.100.161 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#60709: query: mira-ofc.tm-4.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#60709 (mira-ofc.tm-4.office.com.): answer: mira-ofc.tm-4.office.com. IN A (10.100.0.1) -> NOERROR 6 A 198.51.100.248 6 A 198.51.100.247 6 A 198.51.100.245 6 A 198.51.100.238 6 A 198.51.100.242 6 A 198.51.100.246 6 A 198.51.100.243 6 A 198.51.100.244 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#55760: query: doh.umbrella.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#55760 (doh.umbrella.com.): answer: doh.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#62432: query: doh.opendns.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#62432 (doh.opendns.com.): answer: doh.opendns.com. IN A (10.100.0.1) -> NOERROR 114 A 198.51.100.254 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#65243: query: doh.umbrella.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#65243 (doh.umbrella.com.): answer: doh.umbrella.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.255 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49322: query: doh.opendns.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49322 (doh.opendns.com.): answer: doh.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#62056: query: euc-word-telemetry.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#62056 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. 5 A 198.51.100.233 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#63242: query: euc-word-telemetry.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#63242 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#59826: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#59826 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#63557: query: substrate.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#63557 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.11 7 A 198.51.100.10 7 A 198.51.100.218 7 A 198.51.100.6 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#56843: query: host139.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#56843 (host140.example.net.): answer: host140.example.net. IN A (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#55122: query: host141.host141.host141.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#55122 (host142.host142.host142.example.net.): answer: host142.host142.host142.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.131#65073: query: euc-word-edit.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.131#65073 (euc-word-edit.officeapps.live.com.): answer: euc-word-edit.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 3 CNAME euc-word-edit-geo.wac.trafficmanager.net. 14 CNAME euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 20 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.236 18 A 198.51.100.235 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.87#50122: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.87#50122 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.177#57792: query: array514.prod.do.dsp.mp.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.177#57792 (array514.prod.do.dsp.mp.microsoft.com.): answer: array514.prod.do.dsp.mp.microsoft.com. IN A (10.100.0.1) -> NOERROR 2679 A 198.51.100.50 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.99#58671: query: features.netscalergateway.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.99#58671 (features.netscalergateway.net.): answer: features.netscalergateway.net. IN A (10.100.0.1) -> NOERROR 21 CNAME features.netscalergateway.net.akadns.net. 13 CNAME az-eu-w-features.netscalergateway.net. 1 CNAME lb-traefik-ngs-production-client.westeurope.cloudapp.azure.com. 3 A 198.51.100.34 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56173: query: dns.umbrella.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56173 (dns.umbrella.com.): answer: dns.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.151#50235: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.151#50235 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.19#62903: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.19#62903 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#53256: query: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.116#57937: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.116#57937 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.90#49563: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.90#49563 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#50843: query: www.booking.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#50843 (www.booking.com.): answer: www.booking.com. IN A (10.100.0.1) -> NOERROR 467 CNAME d1of1hbywxxm65.cloudfront.net. 24 A 198.51.100.107 24 A 198.51.100.104 24 A 198.51.100.106 24 A 198.51.100.105 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015: query: host132.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015: query: host132.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015 (host132.example.net.): answer: host132.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.224 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015 (host132.example.net.): answer: host132.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#51053: query: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210: query: host005.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#60618: query: config.edge.skype.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#60618 (config.edge.skype.com.): answer: config.edge.skype.com. IN TYPE65 (10.100.0.1) -> NOERROR 7182 CNAME config.edge.skype.com.trafficmanager.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#58136: query: config.edge.skype.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#58136 (config.edge.skype.com.): answer: config.edge.skype.com. IN A (10.100.0.1) -> NOERROR 7182 CNAME config.edge.skype.com.trafficmanager.net. 37 CNAME ln-0007.config.skype.com. 2449 CNAME config-edge-skype.ln-0007.ln-msedge.net. 207 CNAME ln-0007.ln-msedge.net. 108 A 198.51.100.2 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#51564: query: substrate.office.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#51564 (substrate.office.com.): answer: substrate.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53605: query: substrate.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53605 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.11 7 A 198.51.100.10 7 A 198.51.100.218 7 A 198.51.100.6 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#60953: query: lcdn-locator.apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#60953 (lcdn-locator.apple.com.akadns.net.): answer: lcdn-locator.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#53256 (partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net.): answer: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net. IN AAAA (10.100.0.1) -> NOERROR 6 CNAME cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net. 18 CNAME partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#65384: query: gew4-spclient.spotify.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#65384 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 139 CNAME edge-web-gew4.dual-gslb.spotify.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#55641: query: gew4-spclient.spotify.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#55641 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN A (10.100.0.1) -> NOERROR 138 CNAME edge-web-gew4.dual-gslb.spotify.com. 37 A 198.51.100.202 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386: query: cdn.cookielaw.org IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386 (cdn.cookielaw.org.): answer: cdn.cookielaw.org. IN A (10.100.0.1) -> NOERROR 207 A 198.51.100.206 207 A 198.51.100.205 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43628: query: 198.51.100.80.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43628 (198.51.100.80.in-addr.arpa.): answer: 198.51.100.80.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host143.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.220#51327: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.220#51327 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#51053 (partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net.): answer: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net. IN A (10.100.0.1) -> NOERROR 6 CNAME cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net. 15 CNAME partition-cname-trouter-ic3-edf-trouter-service-trouter-2.d02-027.ic3-edf-tr
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568: query: t-cf.bstatic.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568 (t-cf.bstatic.com.): answer: t-cf.bstatic.com. IN A (10.100.0.1) -> NOERROR 1668 CNAME d2i5gg36g14bzn.cloudfront.net. 11 A 198.51.100.85 11 A 198.51.100.86 11 A 198.51.100.91 11 A 198.51.100.88 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167: query: host144.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167: query: host144.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167 (host144.example.net.): answer: host144.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.211 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167 (host144.example.net.): answer: host144.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#57886: query: weatherkit.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#57886 (weatherkit.apple.com.): answer: weatherkit.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 2881 CNAME weatherkit.apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746: query: host145.example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746 (host146.example.net.): answer: host146.example.net. IN SOA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.190#57427: query: 182.10.in-addr.arpa IN SOA  (10.1.0.189)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#58840: query: weatherkit.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#58840 (weatherkit.apple.com.): answer: weatherkit.apple.com. IN A (10.100.0.1) -> NOERROR 2881 CNAME weatherkit.apple.com.akadns.net. 52 CNAME weather-data.apple.com.akamaized.net. 9385 CNAME a2047.dscapi9.akamai.net. 5 A 198.51.100.195 5 A 198.51.100.194 5 A 198.51.100.192 5 A 198.51.100.199 5 A 198.51.100.198 5 A 198.51.100.196 5 A 198.51.100.193 5 A 198.51.100.197 5 A 104.1
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013: query: host147.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013: query: host147.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013 (host147.example.net.): answer: host147.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.212 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013 (host147.example.net.): answer: host147.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#52456: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#52456 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#63628: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#63628 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.87#62518: query: host022.host022.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#60235: query: lb._dns-sd._udp.198.51.100.162.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#60235 (lb._dns-sd._udp.198.51.100.162.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.162.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.87#62518 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.29#56153: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.29#56153 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.71#60092: query: self.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.71#60092 (self.events.data.microsoft.com.): answer: self.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 37 CNAME self-events-data.trafficmanager.net. 7 CNAME onedscolprdweu03.westeurope.cloudapp.azure.com. 0 A 198.51.100.213 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746: query: host015.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746 (host015.example.net.): answer: host015.example.net. IN A (10.100.0.1) -> NOERROR 600 A 10.1.0.189 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.65#52118: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.65#52118 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#51428: query: weatherkit.apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#51428 (weatherkit.apple.com.akadns.net.): answer: weatherkit.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 10 CNAME weather-data.apple.com.akamaized.net. 9385 CNAME a2047.dscapi9.akamai.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#57182: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#57182 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#51027: query: browser.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#51027 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#64835: query: turbo.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#64835 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.107#51019: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.107#51019 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#60279: query: turbo.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#60279 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#60989: query: partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.52#58498: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.52#58498 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.18#51279: query: host148.example.net IN SOA  (10.1.0.189)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.18#51279 (host148.example.net.): answer: host148.example.net. IN SOA (10.1.0.189) -> SERVFAIL 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#63962: query: signaler-pa.clients6.google.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#63962 (signaler-pa.clients6.google.com.): answer: signaler-pa.clients6.google.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#55732: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#55732 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#60989 (partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net.): answer: partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net. IN A (10.100.0.1) -> NOERROR 18 A 198.51.100.253 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#64836: query: www.linkedin.com.cdn.cloudflare.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#64836 (www.linkedin.com.cdn.cloudflare.net.): answer: www.linkedin.com.cdn.cloudflare.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<27>Apr 17 12:39:52 eip-dns-test01 named[38626]: client @0x22b4a6b66d10 10.1.1.169#60715: update 'example.net/IN' denied
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#53686: query: signaler-pa.clients6.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#53686 (signaler-pa.clients6.google.com.): answer: signaler-pa.clients6.google.com. IN A (10.100.0.1) -> NOERROR 196 A 172.16.2.69 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.144#57844: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.144#57844 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814: query: faster.typekit.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#61251: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#61251 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#53617: query: eu-office.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#53617 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.180#57956: query: self.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.180#57956 (self.events.data.microsoft.com.): answer: self.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 37 CNAME self-events-data.trafficmanager.net. 7 CNAME onedscolprdweu03.westeurope.cloudapp.azure.com. 0 A 198.51.100.213 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#56918: query: notify.bugsnag.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#56918 (notify.bugsnag.com.): answer: notify.bugsnag.com. IN A (10.100.0.1) -> NOERROR 9 A 198.51.100.201 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#55264: query: host029.host029.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#55264 (host029.host029.example.net.): answer: host029.host029.example.net. IN A (10.100.0.1) -> NOERROR 0 A 10.1.1.29 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.36#59974: query: v10.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.36#59974 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#62530: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#62530 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51117: query: m365.cloud.microsoft IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51117 (m365.cloud.microsoft.): answer: m365.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56538: query: m365.cloud.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56538 (m365.cloud.microsoft.): answer: m365.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 53 CNAME officehomemcm.anc.tm.svc.cloud.microsoft. 8 CNAME officehomemcm.afdcafe.tm.svc.cloud.microsoft. 41 CNAME home-office365-com.b-0004.b-msedge.net. 118 CNAME b-0004.b-msedge.net. 11 A 198.51.100.212 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411: query: host149.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411: query: host149.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411 (host149.example.net.): answer: host149.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.242 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411 (host149.example.net.): answer: host149.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.24#60102: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.24#60102 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#51651: query: onedscolprdneu02.northeurope.cloudapp.azure.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#50190: query: identity.osi.office.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#50190 (identity.osi.office.net.): answer: identity.osi.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 904 CNAME prod.identity1.osi.office.net.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#52190: query: identity.osi.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#52190 (identity.osi.office.net.): answer: identity.osi.office.net. IN A (10.100.0.1) -> NOERROR 904 CNAME prod.identity1.osi.office.net.akadns.net. 142 CNAME eur.identity1.osi.office.net.akadns.net. 246 CNAME 3pidentity-prod-defaultgeo.trafficmanager.net. 49 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.237 9 A 198.51.100.240 9 A 198.51.100.239 9 A 198.51.100.241 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#52371: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#52371 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814 (faster.typekit.net.): answer: faster.typekit.net. IN A (10.100.0.1) -> NOERROR 49 CNAME faster.typekit.net-stls-v3.edgesuite.net. 15555 CNAME a1962.dscg.akamai.net. 20 A 198.51.100.114 20 A 198.51.100.122 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#64444: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#64444 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#64564: query: outlook.office.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#64564 (outlook.office.com.): answer: outlook.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#59964: query: outlook.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#59964 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.104#57193: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.104#57193 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465: query: host150.example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#63931 (forum.viva.nl.): answer: forum.viva.nl. IN A (10.100.0.1) -> NOERROR 300 CNAME cf-viva.viva-forum.production.183295429382.eu-west-1.cloud.kompas.services. 300 CNAME djornz5oeyhvf.cloudfront.net. 60 A 198.51.100.87 60 A 198.51.100.90 60 A 198.51.100.84 60 A 198.51.100.89 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465 (host151.example.net.): answer: host151.example.net. IN SOA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#54240: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#54240 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.154#65052: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.154#65052 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#56805: query: eu-teams.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#56805 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465: query: host015.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465 (host015.example.net.): answer: host015.example.net. IN A (10.100.0.1) -> NOERROR 600 A 10.1.0.189 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#51651 (onedscolprdneu02.northeurope.cloudapp.azure.com.): answer: onedscolprdneu02.northeurope.cloudapp.azure.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.113#50510: query: 10-courier.push.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.113#50510 (10-courier.push.apple.com.): answer: 10-courier.push.apple.com. IN A (10.100.0.1) -> NOERROR 12363 CNAME 10.courier-push-apple.com.akadns.net. 42 CNAME eu-nw-courier-4.push-apple.com.akadns.net. 22 A 198.51.100.38 22 A 198.51.100.35 22 A 198.51.100.33 22 A 198.51.100.34 22 A 198.51.100.37 22 A 198.51.100.36 22 A 198.51.100.32 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.74#55478: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.74#55478 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.167#62016: query: dns.msftncsi.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.167#62016 (dns.msftncsi.com.): answer: dns.msftncsi.com. IN AAAA (10.100.0.1) -> NOERROR 428 AAAA fd12:3456:789a::1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49664: query: turbo.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49664 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 
+<27>Apr 17 12:39:52 eip-dns-test01 named[38626]: client @0x22b4aaca8650 10.1.1.127#65381: update 'example.net/IN' denied
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62584: query: turbo.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62584 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55489: query: host113.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55489 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62798: query: host113.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62798 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097: query: host013.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097: query: host013.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#63159: query: host113.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#63159 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#60083: query: host113.example.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#60083 (host113.example.net.): answer: host113.example.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#13540: query: 4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#65116: query: djornz5oeyhvf.cloudfront.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.65#57857: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.65#57857 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.32#61185: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.32#61185 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#57244: query: onedscolprdfrc01.francecentral.cloudapp.azure.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#57244 (onedscolprdfrc01.francecentral.cloudapp.azure.com.): answer: onedscolprdfrc01.francecentral.cloudapp.azure.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#57376: query: euc-word-telemetry.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#57376 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#56033: query: euc-word-telemetry.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#56033 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. 5 A 198.51.100.233 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.8#58393: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.8#58393 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#62207: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#62207 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#56671: query: browser.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#56671 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.163#64873: query: substrate.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.163#64873 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.11 7 A 198.51.100.10 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#65116 (djornz5oeyhvf.cloudfront.net.): answer: djornz5oeyhvf.cloudfront.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.117#49320: query: tm-sdk.platinumai.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.117#49320 (tm-sdk.platinumai.net.): answer: tm-sdk.platinumai.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.132#50989: query: settings-win.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.132#50989 (settings-win.data.microsoft.com.): answer: settings-win.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 454 CNAME atm-settingsfe-prod-geo2.trafficmanager.net. 1 CNAME settings-prod-weu-1.westeurope.cloudapp.azure.com. 2 A 198.51.100.231 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.68#55642: query: excelonline.nel.measure.office.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.68#55642 (excelonline.nel.measure.office.net.): answer: excelonline.nel.measure.office.net. IN A (10.100.0.1) -> NOERROR 8 CNAME nel.measure.office.net.edgesuite.net. 5049 CNAME a1894.dscb.akamai.net. 14 A 198.51.100.116 14 A 198.51.100.114 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.28#50745: query: testorg.hive.templafy.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.28#50745 (testorg.hive.templafy.com.): answer: testorg.hive.templafy.com. IN A (10.100.0.1) -> NOERROR 2800 CNAME templafyprod1.templafy.com. 40 CNAME templafyprod1.trafficmanager.net. 47 CNAME backendpooltemplafyprod1-3.templafy.com. 53 A 198.51.100.153 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#59994: query: media-ams2-1.cdn.whatsapp.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#59994 (media-ams2-1.cdn.whatsapp.net.): answer: media-ams2-1.cdn.whatsapp.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#63733: query: media-ams2-1.cdn.whatsapp.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#63733 (media-ams2-1.cdn.whatsapp.net.): answer: media-ams2-1.cdn.whatsapp.net. IN A (10.100.0.1) -> NOERROR 2211 A 198.51.100.31 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#53603: query: teams.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#53603 (teams.microsoft.com.): answer: teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#62020: query: teams.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#62020 (teams.microsoft.com.): answer: teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. 29 CNAME tmc-g2.tm-4.office.com. 22 CNAME teams-office-com.s-0005.dual-s-msedge.net. 101 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.251 25 A 198.51.100.252 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.158#55420: query: testorg.hive.templafy.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.158#55420 (testorg.hive.templafy.com.): answer: testorg.hive.templafy.com. IN A (10.100.0.1) -> NOERROR 2800 CNAME templafyprod1.templafy.com. 40 CNAME templafyprod1.trafficmanager.net. 47 CNAME backendpooltemplafyprod1-3.templafy.com. 53 A 198.51.100.153 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#62818: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#62818 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#54788: query: eu-mobile.events.data.microsoft.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#54788 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#13540 (4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net.): answer: 4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net. IN A (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#50678: query: uploads.cdn.biorender.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#50678 (uploads.cdn.biorender.com.): answer: uploads.cdn.biorender.com. IN TYPE65 (10.100.0.1) -> NOERROR 10 CNAME dw09pkmvpczpb.cloudfront.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#65274: query: uploads.cdn.biorender.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.41#60316: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.41#60316 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#59320: query: pfr1-collabhubrtc.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#59320 (pfr1-collabhubrtc.officeapps.live.com.): answer: pfr1-collabhubrtc.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 79 CNAME pfr1-collabhubrtc-split.rtc.trafficmanager.net. 10 CNAME pfr1-vipcollabrtc.officeapps.live.com. 182 A 198.51.100.234 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#60305: query: pfr1-collabhubrtc.officeapps.live.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#60305 (pfr1-collabhubrtc.officeapps.live.com.): answer: pfr1-collabhubrtc.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#48460: query: host031.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#42494: query: host031.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#48460 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#42494 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#60260: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#49973: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#49973 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#60260 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.10#50807: query: example.net IN SOA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.10#50807 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.130#64737: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.130#64737 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.89#50723: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.89#50723 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#58165: query: editor.svc.cloud.microsoft IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#58165 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#62974: query: editor.svc.cloud.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#62974 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. 4 CNAME prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net. 4 A 198.51.100.49 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.122#51055: query: tas01.cwsapp.update.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.122#51055 (tas01.cwsapp.update.microsoft.com.): answer: tas01.cwsapp.update.microsoft.com. IN A (10.100.0.1) -> NOERROR 125 CNAME glb.tas01.cwsapp-prod.dcat.dsp.mp.microsoft.com. 621 CNAME glb.cwsapp.prod.dcat.dsp.trafficmanager.net. 18 A 198.51.100.226 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.89#55853: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.89#55853 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#49510: query: onedscolprdfrc01.francecentral.cloudapp.azure.com IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#49510 (onedscolprdfrc01.francecentral.cloudapp.azure.com.): answer: onedscolprdfrc01.francecentral.cloudapp.azure.com. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.123#58803: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.123#58803 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#41461: query: host152.host152.host152.host152.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#41461 (host152.host152.host152.host152.example.net.): answer: host152.host152.host152.host152.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.120#52852: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.120#52852 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.94#62361: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.94#62361 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59427: query: www.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59427 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#53826: query: apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#53826 (apple.com.): answer: apple.com. IN A (10.100.0.1) -> NOERROR 244 A 198.51.100.53 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#56085: query: enterpriseregistration.windows.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#56085 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.214 291 A 198.51.100.211 291 A 198.51.100.212 291 A 198.51.100.213 291 A 198.51.100.150 291 A 198.51.100.215 291 A 198.51.100.152 291 A 20.190.181
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.55#57471: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.55#57471 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.115#30425: query: gos-api.gos-gsp.io IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.115#30425 (gos-api.gos-gsp.io.): answer: gos-api.gos-gsp.io. IN A (10.100.0.1) -> NOERROR 27 CNAME gos-api-pew1.gos-gsp.io. 4 CNAME gos-api-pew1-a.gos-gsp.io. 13 A 198.51.100.197 13 A 198.51.100.255 13 A 198.51.100.17 13 A 198.51.100.46 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.229#54956: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.229#54956 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.121#62632: query: keepalive.softether.org IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.121#62632 (keepalive.softether.org.): answer: keepalive.softether.org. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.164#60877: query: ams-efz.ms-acdc.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.164#60877 (ams-efz.ms-acdc.office.com.): answer: ams-efz.ms-acdc.office.com. IN A (10.100.0.1) -> NOERROR 6 A 198.51.100.218 6 A 198.51.100.11 6 A 198.51.100.10 6 A 198.51.100.6 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#65215: query: ws-m2m.prs.healthcare.philips.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#65215 (ws-m2m.prs.healthcare.philips.com.): answer: ws-m2m.prs.healthcare.philips.com. IN A (10.100.0.1) -> NOERROR 1545 A 198.51.100.163 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#59837: query: mask.icloud.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#59837 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#51279: query: waa-pa.clients6.google.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#51279 (waa-pa.clients6.google.com.): answer: waa-pa.clients6.google.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#49743: query: waa-pa.clients6.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#49743 (waa-pa.clients6.google.com.): answer: waa-pa.clients6.google.com. IN A (10.100.0.1) -> NOERROR 74 A 198.51.100.250 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#62214: query: mask.icloud.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#62214 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#51237: query: star.c10r.facebook.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#51237 (star.c10r.facebook.com.): answer: star.c10r.facebook.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#54810: query: xp.apple.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.60#64556: query: mdav.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#54810 (xp.apple.com.): answer: xp.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 2500 CNAME xp.itunes-apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.60#64556 (mdav.eu.endpoint.security.microsoft.com.): answer: mdav.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 106 CNAME md-prod-simcon-atm-epp-eu.trafficmanager.net. 269 CNAME md-prod-simcon-ip0.westeurope.cloudapp.azure.com. 1 A 198.51.100.157 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#60140: query: euc-excel.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#60140 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 49 CNAME euc-excel-geo.wac.trafficmanager.net. 55 CNAME euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 44 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.236 17 A 198.51.100.235 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#58957: query: euc-excel.officeapps.live.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#58957 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 49 CNAME euc-excel-geo.wac.trafficmanager.net. 55 CNAME euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 44 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.236 17 A 198.51.100.235 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52105: query: ssl.gstatic.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52105 (ssl.gstatic.com.): answer: ssl.gstatic.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#58669: query: ssl.gstatic.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#58669 (ssl.gstatic.com.): answer: ssl.gstatic.com. IN A (10.100.0.1) -> NOERROR 4 A 198.51.100.165 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#59967: query: ws-m2m.prs.healthcare.philips.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#59967 (ws-m2m.prs.healthcare.philips.com.): answer: ws-m2m.prs.healthcare.philips.com. IN A (10.100.0.1) -> NOERROR 1545 A 198.51.100.163 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.100#62713: query: outlook.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.100#62713 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.88#59170: query: gacs-discovery.cloud.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.63#62901: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.63#62901 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49874: query: xp.apple.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49874 (xp.apple.com.): answer: xp.apple.com. IN A (10.100.0.1) -> NOERROR 2500 CNAME xp.itunes-apple.com.akadns.net. 77 CNAME xp-cdn-lb.itunes-apple.com.akadns.net. 25 CNAME xp.v.aaplimg.com. 11 A 198.51.100.55 11 A 198.51.100.54 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#51115: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#51115 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#60453: query: substrate.office.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#60453 (substrate.office.com.): answer: substrate.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#54881: query: substrate.office.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#54881 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.11 7 A 198.51.100.10 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#65274 (uploads.cdn.biorender.com.): answer: uploads.cdn.biorender.com. IN A (10.100.0.1) -> NOERROR 10 CNAME dw09pkmvpczpb.cloudfront.net. 60 A 198.51.100.93 60 A 198.51.100.95 60 A 198.51.100.92 60 A 198.51.100.94 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.120#62227: query: v10.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.120#62227 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.88#59170 (gacs-discovery.cloud.com.): answer: gacs-discovery.cloud.com. IN A (10.100.0.1) -> NOERROR 242 CNAME appconfig-ffb2c4are9abh3fa.a01.azurefd.net. 18 CNAME mr-a01.tm-azurefd.net. 25 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#53191: query: graph.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#53191 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#50737: query: graph.microsoft.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#50737 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#53090: query: iphone-ld.origin-apple.com.akadns.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#53090 (iphone-ld.origin-apple.com.akadns.net.): answer: iphone-ld.origin-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 292 CNAME iphone-ld-migration.origin-apple.com.akadns.net. 23 CNAME iphone-ld.v.aaplimg.com. 8 A 198.51.100.54 8 A 198.51.100.57 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#51249: query: iphone-ld.origin-apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#51249 (iphone-ld.origin-apple.com.akadns.net.): answer: iphone-ld.origin-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.110#64771: query: locate-europe-west-azure-1.devicetrust.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.110#64771 (locate-europe-west-azure-1.devicetrust.com.): answer: locate-europe-west-azure-1.devicetrust.com. IN A (10.100.0.1) -> NOERROR 146 CNAME whois-eu-west-1.azurewebsites.net. 16 CNAME hosts.whois-eu-west-1.azurewebsites.net. 29 A 198.51.100.134 29 A 198.51.100.135 29 A 198.51.100.132 29 A 198.51.100.208 29 A 198.51.100.207 29 A 198.51.100.133 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#56542: query: 198.51.100.39.in-addr.arpa IN PTR  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#56542 (198.51.100.39.in-addr.arpa.): answer: 198.51.100.39.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host153.host153.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577: query: host153.host153.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577: query: host153.host153.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628: query: host013.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628: query: host013.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577 (host153.host153.example.net.): answer: host153.host153.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.218 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577 (host153.host153.example.net.): answer: host153.host153.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#64723: query: g.whatsapp.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#62816: query: xp.itunes-apple.com.akadns.net IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#64723 (g.whatsapp.net.): answer: g.whatsapp.net. IN A (10.100.0.1) -> NOERROR 299 CNAME chat.cdn.whatsapp.net. 6 A 198.51.100.33 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#62816 (xp.itunes-apple.com.akadns.net.): answer: xp.itunes-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 76 CNAME xp-cdn-lb.itunes-apple.com.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#53995: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#53995 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#51396: query: host001.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#51396 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.155#60368: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.155#60368 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.42#59690: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.42#59690 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840: query: host124.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840: query: host124.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840 (host124.example.net.): answer: host124.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.238 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840 (host124.example.net.): answer: host124.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#61589: query: scontent-ams2-1.cdninstagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#61589 (scontent-ams2-1.cdninstagram.com.): answer: scontent-ams2-1.cdninstagram.com. IN A (10.100.0.1) -> NOERROR 90 A 198.51.100.27 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#54332: query: iphone-ld.v.aaplimg.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#54332 (iphone-ld.v.aaplimg.com.): answer: iphone-ld.v.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.17#63349: query: host154.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#51869: query: login.microsoftonline.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#51869 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.17#63349 (host155.example.net.): answer: host155.example.net. IN A (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557: query: host132.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557 (host132.example.net.): answer: host132.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.224 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557: query: host132.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557 (host132.example.net.): answer: host132.example.net. IN AAAA (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#59092: query: xp.v.aaplimg.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#59092 (xp.v.aaplimg.com.): answer: xp.v.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#52577: query: scontent-lhr6-2.cdninstagram.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#52577 (scontent-lhr6-2.cdninstagram.com.): answer: scontent-lhr6-2.cdninstagram.com. IN A (10.100.0.1) -> NOERROR 695 A 198.51.100.20 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449: query: host007.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449: query: host007.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.81#50648: query: downloadplugins.citrix.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.81#50648 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#61572: query: mail.google.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52908: query: mail.google.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52908 (mail.google.com.): answer: mail.google.com. IN A (10.100.0.1) -> NOERROR 233 A 198.51.100.240 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#53302: query: host156.host156.example.net IN AAAA  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#53302 (host156.host156.example.net.): answer: host156.host156.example.net. IN AAAA (10.100.0.1) -> NOERROR 28800 CNAME host157.host157.example.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#39280: query: host156.host156.example.net IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#39280 (host156.host156.example.net.): answer: host156.host156.example.net. IN A (10.100.0.1) -> NOERROR 28800 CNAME host157.host157.example.net. 28800 A 198.51.100.189 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#55971: query: editor.svc.cloud.microsoft IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#55971 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.149#49773: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.149#49773 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#62709: query: editor.svc.cloud.microsoft IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#62709 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. 4 CNAME prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net. 4 A 198.51.100.49 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.126#52802: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.126#52802 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61559: query: acrobat.adobe.com IN TYPE65  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61559 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.112#56686: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.112#56686 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61242: query: acrobat.adobe.com IN A  (10.100.0.1)
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61242 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#61572 (mail.google.com.): answer: mail.google.com. IN TYPE65 (10.100.0.1) -> NOERROR 
+<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.130#55301: query: 188926-ipv4fdsmte.gr.global.aa-rt.sharepoint.com IN A  (10.100.0.1)
\ No newline at end of file
diff --git a/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json
new file mode 100644
index 00000000000..e12f5527b80
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json
@@ -0,0 +1,133860 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.42",
+                "port": 56474
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-common.online.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "euc-common.online",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.42#56474: query: euc-common.online.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-common.online.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.42",
+                "port": 56474
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-common-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-common.online.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-common-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.42#56474 (euc-common.online.office.com.): answer: euc-common.online.office.com. IN A (10.100.0.1) -> NOERROR 258 CNAME euc-common-geo.wac.trafficmanager.net. 5 CNAME euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 35 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-common.online.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.165",
+                "port": 59650
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.165#59650: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.165",
+                "port": 59650
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.165#59650 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.64",
+                "port": 50108
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.msftncsi.com",
+                    "registered_domain": "msftncsi.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.64#50108: query: dns.msftncsi.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.msftncsi.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.64",
+                "port": 50108
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.215",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.msftncsi.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.215",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.64#50108 (dns.msftncsi.com.): answer: dns.msftncsi.com. IN A (10.100.0.1) -> NOERROR 8 A 198.51.100.215 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.msftncsi.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.74",
+                "port": 62956
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.74#62956: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.74",
+                "port": 62956
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.74#62956 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.105",
+                "port": 56853
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.105#56853: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.105",
+                "port": 56853
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.105#56853 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.168",
+                "port": 63721
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.168#63721: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.168",
+                "port": 63721
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.168#63721 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 56127
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56127: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 56127
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56127 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 52551
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "z-p42-instagram.c10r.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "z-p42-instagram.c10r",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52551: query: z-p42-instagram.c10r.instagram.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "z-p42-instagram.c10r.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 53130
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "z-p42-instagram.c10r.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "z-p42-instagram.c10r",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53130: query: z-p42-instagram.c10r.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "z-p42-instagram.c10r.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 53130
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.29",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "z-p42-instagram.c10r.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.29",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53130 (z-p42-instagram.c10r.instagram.com.): answer: z-p42-instagram.c10r.instagram.com. IN A (10.100.0.1) -> NOERROR 41 A 198.51.100.29 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "z-p42-instagram.c10r.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 53312
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "app-measurement.com",
+                    "registered_domain": "app-measurement.com",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53312: query: app-measurement.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "app-measurement.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 53312
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.253",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "app-measurement.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.253",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#53312 (app-measurement.com.): answer: app-measurement.com. IN A (10.100.0.1) -> NOERROR 177 A 198.51.100.253 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "app-measurement.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.95",
+                "port": 63787
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.95#63787: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.95",
+                "port": 63787
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.95#63787 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.75",
+                "port": 60720
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#60720: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.75",
+                "port": 60720
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#60720 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.75",
+                "port": 59046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#59046: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.75",
+                "port": 59046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.75#59046 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 56258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "view.adjust.com",
+                    "registered_domain": "adjust.com",
+                    "subdomain": "view",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#56258: query: view.adjust.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "view.adjust.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 52551
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "z-p42-instagram.c10r.instagram.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52551 (z-p42-instagram.c10r.instagram.com.): answer: z-p42-instagram.c10r.instagram.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "z-p42-instagram.c10r.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.26",
+                "port": 50433
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.26#50433: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.26",
+                "port": 50433
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.26#50433 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.101",
+                "port": 51741
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.101#51741: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.101",
+                "port": 51741
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.101#51741 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 49021
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pub-ent-frce-03-t.trouter.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "pub-ent-frce-03-t.trouter.teams",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49021: query: pub-ent-frce-03-t.trouter.teams.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pub-ent-frce-03-t.trouter.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 49021
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "pub-ent-frce-03-t.trouter.teams.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49021 (pub-ent-frce-03-t.trouter.teams.microsoft.com.): answer: pub-ent-frce-03-t.trouter.teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 678 CNAME partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pub-ent-frce-03-t.trouter.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 37741
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pub-ent-frce-03-t.trouter.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "pub-ent-frce-03-t.trouter.teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#37741: query: pub-ent-frce-03-t.trouter.teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pub-ent-frce-03-t.trouter.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 37741
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-francecentral-ns-e44da0a10bd2.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "pub-ent-frce-03-t.trouter.teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-francecentral-ns-e44da0a10bd2.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#37741 (pub-ent-frce-03-t.trouter.teams.microsoft.com.): answer: pub-ent-frce-03-t.trouter.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 679 CNAME partition-cname-trouter.pub-ent-frce-03.ic3-edf-trouter.francecentral-prod.cosmic.office.net. 16 CNAME cosmic-francecentral-ns-e44da0a10bd2.trafficmanager.net. 7 CNAME partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pub-ent-frce-03-t.trouter.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 56258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "view.adjust.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#56258 (view.adjust.com.): answer: view.adjust.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "view.adjust.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.213",
+                "port": 56340
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.213#56340: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.213",
+                "port": 56340
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.213#56340 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.179",
+                "port": 50604
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "connect.epicgames.dev",
+                    "registered_domain": "epicgames.dev",
+                    "subdomain": "connect",
+                    "top_level_domain": "dev",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.179#50604: query: connect.epicgames.dev IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "connect.epicgames.dev"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.86",
+                "port": 58372
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.86",
+                "port": 58372
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.140",
+                "port": 64819
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "rr1---sn-4g5lznsl.googlevideo.com",
+                    "registered_domain": "googlevideo.com",
+                    "subdomain": "rr1---sn-4g5lznsl",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.140#64819: query: rr1---sn-4g5lznsl.googlevideo.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "rr1---sn-4g5lznsl.googlevideo.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.140",
+                "port": 64819
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "rr1.sn-4g5lznsl.googlevideo.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.78",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "rr1---sn-4g5lznsl.googlevideo.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "rr1.sn-4g5lznsl.googlevideo.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.78",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.140#64819 (rr1---sn-4g5lznsl.googlevideo.com.): answer: rr1---sn-4g5lznsl.googlevideo.com. IN A (10.100.0.1) -> NOERROR 1658 CNAME rr1.sn-4g5lznsl.googlevideo.com. 1658 A 198.51.100.78 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "rr1---sn-4g5lznsl.googlevideo.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.148",
+                "port": 43768
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.148#43768: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.148",
+                "port": 43768
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.148#43768 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.118",
+                "port": 39600
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "connectivitycheck.gstatic.com",
+                    "registered_domain": "gstatic.com",
+                    "subdomain": "connectivitycheck",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600: query: connectivitycheck.gstatic.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "connectivitycheck.gstatic.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.118",
+                "port": 39600
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.239",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "connectivitycheck.gstatic.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.239",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600 (connectivitycheck.gstatic.com.): answer: connectivitycheck.gstatic.com. IN A (10.100.0.1) -> NOERROR 84 A 198.51.100.239 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "connectivitycheck.gstatic.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.118",
+                "port": 39600
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "connectivitycheck.gstatic.com",
+                    "registered_domain": "gstatic.com",
+                    "subdomain": "connectivitycheck",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600: query: connectivitycheck.gstatic.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "connectivitycheck.gstatic.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.118",
+                "port": 39600
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "fd12:3456:789a::1",
+                        "type": "AAAA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "connectivitycheck.gstatic.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "fd12:3456:789a::1",
+                                "type": "AAAA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.118#39600 (connectivitycheck.gstatic.com.): answer: connectivitycheck.gstatic.com. IN AAAA (10.100.0.1) -> NOERROR 84 AAAA fd12:3456:789a::1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "connectivitycheck.gstatic.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 59895
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "teams.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "teams",
+                    "top_level_domain": "microsoft",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#59895: query: teams.cloud.microsoft IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 59895
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "teams-cloud-microsoft.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "teams.cloud.microsoft.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "teams-cloud-microsoft.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#59895 (teams.cloud.microsoft.): answer: teams.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 70 CNAME teams-cloud-microsoft.s-0005.dual-s-msedge.net. 18 CNAME s-0005.dual-s-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 64296
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "teams.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "teams",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#64296: query: teams.cloud.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 64296
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "teams-cloud-microsoft.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "teams.cloud.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "teams-cloud-microsoft.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#64296 (teams.cloud.microsoft.): answer: teams.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 69 CNAME teams-cloud-microsoft.s-0005.dual-s-msedge.net. 17 CNAME s-0005.dual-s-msedge.net. 24 A 198.51.100.251 24 A 198.51.100.252 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.58",
+                "port": 59666
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#59666: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.58",
+                "port": 59666
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#59666 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.58",
+                "port": 50350
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#50350: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.58",
+                "port": 50350
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.58#50350 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.73",
+                "port": 52430
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.73#52430: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.73",
+                "port": 52430
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.73#52430 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 63397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host002.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host002",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397: query: host002.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host002.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.237",
+                "port": 62629
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host003.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host003",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.237#62629: query: host003.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host003.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.237",
+                "port": 62629
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host003.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.237#62629 (host003.example.net.): answer: host003.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host003.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.180",
+                "port": 52405
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#52405: query: mask.icloud.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.180",
+                "port": 52405
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#52405 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.79",
+                "port": 58430
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host004.host004.host004.host004",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.79#58430: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.79",
+                "port": 58430
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.79#58430 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.180",
+                "port": 60314
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#60314: query: mask.icloud.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.180",
+                "port": 60314
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#60314 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 56616
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host006.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host006",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56616: query: host006.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host006.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 56616
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host006.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56616 (host006.example.net.): answer: host006.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host006.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 60173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 60173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 60173
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 60173
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#60173 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 63397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host002.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397 (host002.example.net.): answer: host002.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host002.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 54708
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.39.in-addr.arpa",
+                    "registered_domain": "39.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#54708: query: 198.51.100.39.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.39.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 54708
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host009.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.39.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host009.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#54708 (198.51.100.39.in-addr.arpa.): answer: 198.51.100.39.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host009.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.39.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.181",
+                "port": 59494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "res.public.onecdn.static.microsoft",
+                    "registered_domain": "static.microsoft",
+                    "subdomain": "res.public.onecdn",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.181#59494: query: res.public.onecdn.static.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "res.public.onecdn.static.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.181",
+                "port": 59494
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-ocdi-public.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.public.onecdn.static.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-ocdi-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a434.dscd.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.76",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.69",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.74",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.64",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.70 14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "res.public.onecdn.static.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-ocdi-public.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.public.onecdn.static.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-ocdi-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a434.dscd.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.76",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.69",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.74",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.64",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.70 14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.181#59494 (res.public.onecdn.static.microsoft.): answer: res.public.onecdn.static.microsoft. IN A (10.100.0.1) -> NOERROR 282 CNAME res-ocdi-public.trafficmanager.net. 87 CNAME res-1.public.onecdn.static.microsoft. 19 CNAME res-ocdi-stls-prod.edgesuite.net. 119 CNAME a434.dscd.akamai.net. 14 A 198.51.100.76 14 A 198.51.100.69 14 A 198.51.100.74 14 A 198.51.100.64 14 A 198.51.100.70 14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "res.public.onecdn.static.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.122",
+                "port": 49665
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "stream-production.avcdn.net",
+                    "registered_domain": "avcdn.net",
+                    "subdomain": "stream-production",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.122#49665: query: stream-production.avcdn.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "stream-production.avcdn.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.22",
+                "port": 54200
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host010.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host010",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.22#54200: query: host010.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host010.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.22",
+                "port": 54200
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.7",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host010.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.7",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.22#54200 (host010.example.net.): answer: host010.example.net. IN A (10.100.0.1) -> NOERROR 900 A 10.1.1.7 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host010.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 62066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host011.host011.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host011.host011",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066: query: host011.host011.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host011.host011.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.118",
+                "port": 52650
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "refinery2fa.afaspocket.nl",
+                    "registered_domain": "afaspocket.nl",
+                    "subdomain": "refinery2fa",
+                    "top_level_domain": "nl",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#52650: query: refinery2fa.afaspocket.nl IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "refinery2fa.afaspocket.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.118",
+                "port": 52650
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "refinery2fa-afaspocket-nl.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "refinery2fa.afaspocket.nl.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "refinery2fa-afaspocket-nl.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#52650 (refinery2fa.afaspocket.nl.): answer: refinery2fa.afaspocket.nl. IN TYPE65 (10.100.0.1) -> NOERROR 2562 CNAME refinery2fa-afaspocket-nl.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "refinery2fa.afaspocket.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.118",
+                "port": 50566
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "refinery2fa.afaspocket.nl",
+                    "registered_domain": "afaspocket.nl",
+                    "subdomain": "refinery2fa",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#50566: query: refinery2fa.afaspocket.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "refinery2fa.afaspocket.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.180",
+                "port": 61113
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#61113: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.180",
+                "port": 61113
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.180#61113 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.182",
+                "port": 61204
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#61204: query: graph.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.182",
+                "port": 61204
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.prd.ags.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.142",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.140",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.143",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.141",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.139",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.138",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.149",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.prd.ags.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.142",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.140",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.143",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.141",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.139",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.138",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.149",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#61204 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.33",
+                "port": 64388
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#64388: query: eu-teams.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.33",
+                "port": 64388
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#64388 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.33",
+                "port": 52928
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#52928: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.33",
+                "port": 52928
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.33#52928 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.56",
+                "port": 52730
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#52730: query: edge.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.56",
+                "port": 52730
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#52730 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.92",
+                "port": 57947
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host010.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host010",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.92#57947: query: host010.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host010.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.92",
+                "port": 57947
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.7",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host010.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.7",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.92#57947 (host010.example.net.): answer: host010.example.net. IN A (10.100.0.1) -> NOERROR 900 A 10.1.1.7 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host010.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.56",
+                "port": 56409
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#56409: query: edge.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.56",
+                "port": 56409
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ax-0002.ax-dc-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.4",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.3",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ax-0002.ax-dc-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.4",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.3",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.56#56409 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.4 5 A 198.51.100.3 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.197",
+                "port": 56096
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host012",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#56096: query: host012.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.197",
+                "port": 33276
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host012",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#33276: query: host012.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.197",
+                "port": 33276
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#33276 (host012.example.net.): answer: host012.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.197",
+                "port": 56096
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.196",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.196",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.197#56096 (host012.example.net.): answer: host012.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.196 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 56832
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "play.playr.biz",
+                    "registered_domain": "playr.biz",
+                    "subdomain": "play",
+                    "top_level_domain": "biz",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#56832: query: play.playr.biz IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.playr.biz"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 56832
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.21",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "play.playr.biz.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.21",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#56832 (play.playr.biz.): answer: play.playr.biz. IN A (10.100.0.1) -> NOERROR 1517 A 198.51.100.21 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.playr.biz."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 57258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258: query: host013.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 57258
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.217",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.217",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 57258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258: query: host013.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 57258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#57258 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.179",
+                "port": 50604
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "weighted-epic-connect-manager-prod.epicgames.dev.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.13",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.82",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.3",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.22",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.187",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.186",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.15",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.19",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "connect.epicgames.dev.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "weighted-epic-connect-manager-prod.epicgames.dev.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.13",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.82",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.3",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.22",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.187",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.186",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.15",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.19",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.179#50604 (connect.epicgames.dev.): answer: connect.epicgames.dev. IN A (10.100.0.1) -> NOERROR 241 CNAME weighted-epic-connect-manager-prod.epicgames.dev. 60 A 198.51.100.13 60 A 198.51.100.82 60 A 198.51.100.3 60 A 198.51.100.22 60 A 198.51.100.187 60 A 198.51.100.186 60 A 198.51.100.15 60 A 198.51.100.19 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "connect.epicgames.dev."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 64939
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "play.playr.biz",
+                    "registered_domain": "playr.biz",
+                    "subdomain": "play",
+                    "top_level_domain": "biz",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#64939: query: play.playr.biz IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.playr.biz"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 64939
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.21",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "play.playr.biz.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.21",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#64939 (play.playr.biz.): answer: play.playr.biz. IN A (10.100.0.1) -> NOERROR 1517 A 198.51.100.21 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.playr.biz."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 50161
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cdn.jsdelivr.net",
+                    "registered_domain": "jsdelivr.net",
+                    "subdomain": "cdn",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50161: query: cdn.jsdelivr.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdn.jsdelivr.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 50161
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cdn.jsdelivr.net.cdn.cloudflare.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.201",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.200",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cdn.jsdelivr.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cdn.jsdelivr.net.cdn.cloudflare.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.201",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.200",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50161 (cdn.jsdelivr.net.): answer: cdn.jsdelivr.net. IN A (10.100.0.1) -> NOERROR 263 CNAME cdn.jsdelivr.net.cdn.cloudflare.net. 196 A 198.51.100.201 196 A 198.51.100.200 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdn.jsdelivr.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 53178
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cdn.jsdelivr.net",
+                    "registered_domain": "jsdelivr.net",
+                    "subdomain": "cdn",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#53178: query: cdn.jsdelivr.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdn.jsdelivr.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 53178
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cdn.jsdelivr.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#53178 (cdn.jsdelivr.net.): answer: cdn.jsdelivr.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdn.jsdelivr.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 57252
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host014.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host014",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#57252: query: host014.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host014.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 57252
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.251",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host014.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.251",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#57252 (host014.example.net.): answer: host014.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.251 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host014.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 49550
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host014.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host014",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#49550: query: host014.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host014.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 49550
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host014.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#49550 (host014.example.net.): answer: host014.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host014.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.83",
+                "port": 50183
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.83#50183: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.83",
+                "port": 50183
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.83#50183 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.28",
+                "port": 58990
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.28#58990: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.28",
+                "port": 58990
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.28#58990 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.122",
+                "port": 49665
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "stream-production.avcdn.net.akamaized.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a6143.dscd.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.58",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.74",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.67",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.60",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.75",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.66",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.72",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.77",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.62",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "stream-production.avcdn.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "stream-production.avcdn.net.akamaized.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a6143.dscd.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.58",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.74",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.67",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.60",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.75",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.66",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.72",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.77",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.62",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.122#49665 (stream-production.avcdn.net.): answer: stream-production.avcdn.net. IN A (10.100.0.1) -> NOERROR 181 CNAME stream-production.avcdn.net.akamaized.net. 5470 CNAME a6143.dscd.akamai.net. 20 A 198.51.100.58 20 A 198.51.100.74 20 A 198.51.100.67 20 A 198.51.100.60 20 A 198.51.100.75 20 A 198.51.100.66 20 A 198.51.100.72 20 A 198.51.100.77 20 A 198.51.100.62 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "stream-production.avcdn.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.133",
+                "port": 58488
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.133#58488: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.133",
+                "port": 58488
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.133#58488 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.97",
+                "port": 58799
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.97#58799: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.97",
+                "port": 58799
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.97#58799 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.208",
+                "port": 57653
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.208#57653: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.177",
+                "port": 63489
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-spclient",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#63489: query: gew4-spclient.spotify.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.177",
+                "port": 63489
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.202",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.202",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#63489 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN A (10.100.0.1) -> NOERROR 138 CNAME edge-web-gew4.dual-gslb.spotify.com. 37 A 198.51.100.202 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.208",
+                "port": 57653
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.208#57653 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.177",
+                "port": 51056
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-spclient",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#51056: query: gew4-spclient.spotify.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.177",
+                "port": 51056
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.177#51056 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 139 CNAME edge-web-gew4.dual-gslb.spotify.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 43650
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host016.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host016",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#43650: query: host016.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host016.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 43650
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host016.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#43650 (host016.example.net.): answer: host016.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host016.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 62066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host011.host011.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066 (host011.host011.example.net.): answer: host011.host011.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host011.host011.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 51709
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host016.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host016",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#51709: query: host016.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host016.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.250",
+                "port": 51709
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.252",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host016.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.252",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.250#51709 (host016.example.net.): answer: host016.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.252 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host016.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 59119
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host017.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host017",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59119: query: host017.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host017.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.251",
+                "port": 31139
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.79.in-addr.arpa",
+                    "registered_domain": "79.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.251#31139: query: 198.51.100.79.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.79.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 59119
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host017.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59119 (host017.example.net.): answer: host017.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host017.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 58215
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gateway.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "gateway",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#58215: query: gateway.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gateway.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 58215
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dgw.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.26",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gateway.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dgw.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.26",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#58215 (gateway.facebook.com.): answer: gateway.facebook.com. IN A (10.100.0.1) -> NOERROR 1121 CNAME dgw.c10r.facebook.com. 33 A 198.51.100.26 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gateway.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.251",
+                "port": 31139
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host018.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.79.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host018.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.251#31139 (198.51.100.79.in-addr.arpa.): answer: 198.51.100.79.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host018.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.79.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 65408
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge-mqtt.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "edge-mqtt",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#65408: query: edge-mqtt.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge-mqtt.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 65408
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mqtt.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.25",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge-mqtt.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mqtt.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.25",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#65408 (edge-mqtt.facebook.com.): answer: edge-mqtt.facebook.com. IN A (10.100.0.1) -> NOERROR 44 CNAME mqtt.c10r.facebook.com. 1 A 198.51.100.25 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge-mqtt.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.78",
+                "port": 59607
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.78#59607: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.78",
+                "port": 59607
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.78#59607 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 58225
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#58225: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 58225
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#58225 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 50093
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50093: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 50093
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#50093 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.118",
+                "port": 49228
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "refinery2fa-afaspocket-nl.trafficmanager.net",
+                    "registered_domain": "trafficmanager.net",
+                    "subdomain": "refinery2fa-afaspocket-nl",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#49228: query: refinery2fa-afaspocket-nl.trafficmanager.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "refinery2fa-afaspocket-nl.trafficmanager.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.72",
+                "port": 62166
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "default._dante-ddm-d._udp",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.72#62166: query: default._dante-ddm-d._udp IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "default._dante-ddm-d._udp"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.72",
+                "port": 62166
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "default._dante-ddm-d._udp.",
+                    "type": "SRV"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.72#62166 (default._dante-ddm-d._udp.): answer: default._dante-ddm-d._udp. IN SRV (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "default._dante-ddm-d._udp."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.84",
+                "port": 51692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host019",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692: query: host019.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.84",
+                "port": 51692
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.8",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.8",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56703
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host020.host020.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host020.host020",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703: query: host020.host020.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host020.host020.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56703
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host020.host020.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703 (host020.host020.example.net.): answer: host020.host020.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host020.host020.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.252",
+                "port": 42821
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.79.in-addr.arpa",
+                    "registered_domain": "79.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.252#42821: query: 198.51.100.79.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.79.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.252",
+                "port": 42821
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host018.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.79.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host018.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.252#42821 (198.51.100.79.in-addr.arpa.): answer: 198.51.100.79.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host018.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.79.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 56402
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#56402: query: mask.apple-dns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 56402
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#56402 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN A (10.100.0.1) -> NOERROR 3 A 198.51.100.41 3 A 198.51.100.47 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.42 3 A 198.51.100.43 3 A 198.51.100.46 3 A 198.51.100.45 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 63701
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#63701: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 63701
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#63701 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.71",
+                "port": 65086
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.71#65086: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.71",
+                "port": 65086
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.71#65086 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.139",
+                "port": 49348
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa",
+                    "registered_domain": "113.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#49348: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.139",
+                "port": 49348
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#49348 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.139",
+                "port": 53868
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#53868: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.139",
+                "port": 55797
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#55797: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.139",
+                "port": 53868
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#53868 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.139",
+                "port": 55797
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.139#55797 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.181",
+                "port": 63814
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cctypekit.adobe.io",
+                    "registered_domain": "adobe.io",
+                    "subdomain": "cctypekit",
+                    "top_level_domain": "io",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814: query: cctypekit.adobe.io IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cctypekit.adobe.io"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.84",
+                "port": 51692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host022.host022.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host022.host022",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692: query: host022.host022.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host022.host022.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.84",
+                "port": 51692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host023.host023.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.84#51692 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host023.host023.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 63397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host024.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host024",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397: query: host024.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host024.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 63397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host024.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397 (host024.example.net.): answer: host024.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host024.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.118",
+                "port": 50566
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "refinery2fa-afaspocket-nl.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pocketapi2fa.azurewebsites.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-am2-025a.sip.azurewebsites.windows.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-am2-025.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "refinery2fa.afaspocket.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "refinery2fa-afaspocket-nl.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pocketapi2fa.azurewebsites.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-am2-025a.sip.azurewebsites.windows.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-am2-025.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#50566 (refinery2fa.afaspocket.nl.): answer: refinery2fa.afaspocket.nl. IN A (10.100.0.1) -> NOERROR 2563 CNAME refinery2fa-afaspocket-nl.trafficmanager.net. 60 CNAME pocketapi2fa.azurewebsites.net. 30 CNAME waws-prod-am2-025a.sip.azurewebsites.windows.net. 2653 CNAME waws-prod-am2-025.westeurope.cloudapp.azure.com. 4 A 198.51.100.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "refinery2fa.afaspocket.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.181",
+                "port": 63814
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cctypekit.adobe.io.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e364363.dscg.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.124",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.128",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cctypekit.adobe.io.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cctypekit.adobe.io.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e364363.dscg.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.124",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.128",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814 (cctypekit.adobe.io.): answer: cctypekit.adobe.io. IN A (10.100.0.1) -> NOERROR 16 CNAME cctypekit.adobe.io.edgekey.net. 7530 CNAME e364363.dscg.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cctypekit.adobe.io."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.68",
+                "port": 58264
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "metadata.google.internal",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.68#58264: query: metadata.google.internal IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "metadata.google.internal"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.68",
+                "port": 58264
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "metadata.google.internal.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.68#58264 (metadata.google.internal.): answer: metadata.google.internal. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "metadata.google.internal."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.143",
+                "port": 50982
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "contacts.fe2.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "contacts.fe2",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#50982: query: contacts.fe2.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "contacts.fe2.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.143",
+                "port": 50982
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "contacts.fe2.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#50982 (contacts.fe2.apple-dns.net.): answer: contacts.fe2.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "contacts.fe2.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.143",
+                "port": 60326
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "contacts.fe2.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "contacts.fe2",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#60326: query: contacts.fe2.apple-dns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "contacts.fe2.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.143",
+                "port": 60326
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.50",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.49",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.51",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "contacts.fe2.apple-dns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.50",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.49",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.51",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.143#60326 (contacts.fe2.apple-dns.net.): answer: contacts.fe2.apple-dns.net. IN A (10.100.0.1) -> NOERROR 66 A 198.51.100.50 66 A 198.51.100.49 66 A 198.51.100.48 66 A 198.51.100.51 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "contacts.fe2.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 56323
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.0.in-addr.arpa",
+                    "registered_domain": "0.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#56323: query: 198.51.100.0.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.0.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 56323
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host025.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.0.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host025.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#56323 (198.51.100.0.in-addr.arpa.): answer: 198.51.100.0.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 1800 PTR host025.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.0.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 52617
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.0.in-addr.arpa",
+                    "registered_domain": "0.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52617: query: 198.51.100.0.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.0.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 62066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host026.host026.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host026.host026",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066: query: host026.host026.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host026.host026.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 52617
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host025.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.0.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host025.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52617 (198.51.100.0.in-addr.arpa.): answer: 198.51.100.0.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 1800 PTR host025.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.0.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.61",
+                "port": 52256
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "messaging.engagement.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "messaging.engagement",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#52256: query: messaging.engagement.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "messaging.engagement.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.61",
+                "port": 52256
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-campaignaggregator.omexexternallfb.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.250",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "messaging.engagement.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-campaignaggregator.omexexternallfb.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.250",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#52256 (messaging.engagement.office.com.): answer: messaging.engagement.office.com. IN A (10.100.0.1) -> NOERROR 121 CNAME prod-campaignaggregator.omexexternallfb.office.net.akadns.net. 7 A 198.51.100.250 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "messaging.engagement.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 60503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.47.in-addr.arpa",
+                    "registered_domain": "47.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#60503: query: lb._dns-sd._udp.198.51.100.47.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.47.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 52052
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#52052: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 59573
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#59573: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 60503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.47.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#60503 (lb._dns-sd._udp.198.51.100.47.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.47.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.47.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 52052
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#52052 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 59573
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#59573 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 56353
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.37.in-addr.arpa",
+                    "registered_domain": "37.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#56353: query: lb._dns-sd._udp.198.51.100.37.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.37.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 56353
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.37.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#56353 (lb._dns-sd._udp.198.51.100.37.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.37.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.37.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 58516
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.180.in-addr.arpa",
+                    "registered_domain": "180.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#58516: query: lb._dns-sd._udp.198.51.100.180.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.180.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.169",
+                "port": 58516
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.180.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.169#58516 (lb._dns-sd._udp.198.51.100.180.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.180.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.180.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 62521
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#62521: query: eu-office.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 62521
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#62521 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 52556
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#52556: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 52556
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.155",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.155",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#52556 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 62066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host026.host026.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066 (host026.host026.example.net.): answer: host026.host026.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host026.host026.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 44471
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#44471: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 44471
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#44471 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.118",
+                "port": 49228
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "pocketapi2fa.azurewebsites.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-am2-025a.sip.azurewebsites.windows.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-am2-025.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "refinery2fa-afaspocket-nl.trafficmanager.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "pocketapi2fa.azurewebsites.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-am2-025a.sip.azurewebsites.windows.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-am2-025.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.118#49228 (refinery2fa-afaspocket-nl.trafficmanager.net.): answer: refinery2fa-afaspocket-nl.trafficmanager.net. IN TYPE65 (10.100.0.1) -> NOERROR 60 CNAME pocketapi2fa.azurewebsites.net. 30 CNAME waws-prod-am2-025a.sip.azurewebsites.windows.net. 2653 CNAME waws-prod-am2-025.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "refinery2fa-afaspocket-nl.trafficmanager.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.232",
+                "port": 65045
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host027.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host027",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045: query: host027.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host027.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.232",
+                "port": 65045
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host027.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host027",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045: query: host027.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host027.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.232",
+                "port": 65045
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.0",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host027.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.0",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045 (host027.example.net.): answer: host027.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.0 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host027.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.232",
+                "port": 65045
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host027.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.232#65045 (host027.example.net.): answer: host027.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host027.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.203",
+                "port": 56268
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.203#56268: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.82",
+                "port": 64639
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.82#64639: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.203",
+                "port": 56268
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.203#56268 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.82",
+                "port": 64639
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.82#64639 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.123",
+                "port": 56811
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.123#56811: query: v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.123",
+                "port": 56811
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.154",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.154",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.123#56811 (v20.events.data.microsoft.com.): answer: v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 13 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56703
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host028.host028.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host028.host028",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703: query: host028.host028.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host028.host028.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.157",
+                "port": 63185
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "auth.deepl.com",
+                    "registered_domain": "deepl.com",
+                    "subdomain": "auth",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.157#63185: query: auth.deepl.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "auth.deepl.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.157",
+                "port": 63185
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "fal-lb.deepl.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.110",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "auth.deepl.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "fal-lb.deepl.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.110",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.157#63185 (auth.deepl.com.): answer: auth.deepl.com. IN A (10.100.0.1) -> NOERROR 36 CNAME fal-lb.deepl.com. 13 A 198.51.100.110 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "auth.deepl.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.179",
+                "port": 61269
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ssl.gstatic.com",
+                    "registered_domain": "gstatic.com",
+                    "subdomain": "ssl",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.179#61269: query: ssl.gstatic.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ssl.gstatic.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.147",
+                "port": 64393
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "aws-proxy-gcp.api.sc-gw.com",
+                    "registered_domain": "sc-gw.com",
+                    "subdomain": "aws-proxy-gcp.api",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.147#64393: query: aws-proxy-gcp.api.sc-gw.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "aws-proxy-gcp.api.sc-gw.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.147",
+                "port": 64393
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.204",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "aws-proxy-gcp.api.sc-gw.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.204",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.147#64393 (aws-proxy-gcp.api.sc-gw.com.): answer: aws-proxy-gcp.api.sc-gw.com. IN A (10.100.0.1) -> NOERROR 42 A 198.51.100.204 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "aws-proxy-gcp.api.sc-gw.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.172",
+                "port": 51399
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#51399: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.172",
+                "port": 51399
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#51399 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.85",
+                "port": 49803
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "oauth.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#49803: query: oauth.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.85",
+                "port": 49803
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "oauth-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "oauth-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#49803 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.59",
+                "port": 63597
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pneumandit.azure-devices.net",
+                    "registered_domain": "azure-devices.net",
+                    "subdomain": "pneumandit",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.59#63597: query: pneumandit.azure-devices.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pneumandit.azure-devices.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.85",
+                "port": 52241
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "oauth.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#52241: query: oauth.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.85",
+                "port": 52241
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "oauth-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "oauth-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.85#52241 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. 57 CNAME oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 12 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.117",
+                "port": 59549
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#59549: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.117",
+                "port": 59549
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#59549 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.117",
+                "port": 56472
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#56472: query: mask.apple-dns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.117",
+                "port": 56472
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.117#56472 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN A (10.100.0.1) -> NOERROR 3 A 198.51.100.40 3 A 198.51.100.42 3 A 198.51.100.43 3 A 198.51.100.46 3 A 198.51.100.45 3 A 198.51.100.41 3 A 198.51.100.47 3 A 198.51.100.44 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.109",
+                "port": 56557
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cc-api-data.adobe.io",
+                    "registered_domain": "adobe.io",
+                    "subdomain": "cc-api-data",
+                    "top_level_domain": "io",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.109#56557: query: cc-api-data.adobe.io IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cc-api-data.adobe.io"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.109",
+                "port": 56557
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cc-api-data-ew1.adobe.io.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ethos.dunamis.ethos508-prod-va6.ethos.adobe.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dunamis-ethos508-prod-va6-856defacfb833db1.elb.us-east-1.amazonaws.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.2",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.196",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.5",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cc-api-data.adobe.io.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cc-api-data-ew1.adobe.io.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ethos.dunamis.ethos508-prod-va6.ethos.adobe.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dunamis-ethos508-prod-va6-856defacfb833db1.elb.us-east-1.amazonaws.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.2",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.196",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.5",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.109#56557 (cc-api-data.adobe.io.): answer: cc-api-data.adobe.io. IN A (10.100.0.1) -> NOERROR 48 CNAME cc-api-data-ew1.adobe.io. 10 CNAME ethos.dunamis.ethos508-prod-va6.ethos.adobe.net. 56 CNAME dunamis-ethos508-prod-va6-856defacfb833db1.elb.us-east-1.amazonaws.com. 7 A 198.51.100.2 7 A 198.51.100.196 7 A 198.51.100.5 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cc-api-data.adobe.io."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 37155
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#37155: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 37155
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#37155 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56703
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host028.host028.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56703 (host028.host028.example.net.): answer: host028.host028.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host028.host028.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.215",
+                "port": 54418
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.215#54418: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.215",
+                "port": 54418
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.215#54418 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.179",
+                "port": 61269
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "fd12:3456:789a::1",
+                        "type": "AAAA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ssl.gstatic.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "fd12:3456:789a::1",
+                                "type": "AAAA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.179#61269 (ssl.gstatic.com.): answer: ssl.gstatic.com. IN AAAA (10.100.0.1) -> NOERROR 116 AAAA fd12:3456:789a::1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ssl.gstatic.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.59",
+                "port": 63597
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gateway-prod-gw-westeurope-5-g2.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.0",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "pneumandit.azure-devices.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gateway-prod-gw-westeurope-5-g2.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.0",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.59#63597 (pneumandit.azure-devices.net.): answer: pneumandit.azure-devices.net. IN A (10.100.0.1) -> NOERROR 598 CNAME gateway-prod-gw-westeurope-5-g2.westeurope.cloudapp.azure.com. 8 A 198.51.100.0 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pneumandit.azure-devices.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 36016
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host008.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host008",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36016: query: host008.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host008.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 36016
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host008.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36016 (host008.example.net.): answer: host008.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host008.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.164",
+                "port": 56989
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host029.host029.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host029.host029",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.164#56989: query: host029.host029.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host029.host029.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.164",
+                "port": 56989
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.29",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host029.host029.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.29",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.164#56989 (host029.host029.example.net.): answer: host029.host029.example.net. IN A (10.100.0.1) -> NOERROR 0 A 10.1.1.29 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host029.host029.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 63397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host030.host030.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host030.host030",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397: query: host030.host030.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host030.host030.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.99",
+                "port": 64841
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host022.host022.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host022.host022",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.99#64841: query: host022.host022.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host022.host022.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.99",
+                "port": 64841
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host023.host023.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.99#64841 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host023.host023.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 62066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wpad.canbus.net",
+                    "registered_domain": "canbus.net",
+                    "subdomain": "wpad",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066: query: wpad.canbus.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wpad.canbus.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.183",
+                "port": 60425
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dms.licdn.com",
+                    "registered_domain": "licdn.com",
+                    "subdomain": "dms",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#60425: query: dms.licdn.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dms.licdn.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.183",
+                "port": 60425
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dms.cm.licdn.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dms.licdn.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dms.cm.licdn.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#60425 (dms.licdn.com.): answer: dms.licdn.com. IN TYPE65 (10.100.0.1) -> NOERROR 2 CNAME dms.cm.licdn.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dms.licdn.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.183",
+                "port": 51660
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dms.licdn.com",
+                    "registered_domain": "licdn.com",
+                    "subdomain": "dms",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#51660: query: dms.licdn.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dms.licdn.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.183",
+                "port": 51660
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dms.cm.licdn.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dms-fsly.sb.lnkdns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "fs-ak-cf.dms.sb.lnkdns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "linkedin.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.15",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.12",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.7",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dms.licdn.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dms.cm.licdn.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dms-fsly.sb.lnkdns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "fs-ak-cf.dms.sb.lnkdns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "linkedin.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.15",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.12",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.7",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#51660 (dms.licdn.com.): answer: dms.licdn.com. IN A (10.100.0.1) -> NOERROR 2 CNAME dms.cm.licdn.com. 94 CNAME dms-fsly.sb.lnkdns.net. 96 CNAME fs-ak-cf.dms.sb.lnkdns.net. 292 CNAME linkedin.map.fastly.net. 40 A 198.51.100.10 40 A 198.51.100.15 40 A 198.51.100.12 40 A 198.51.100.7 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dms.licdn.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.76",
+                "port": 52973
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.76#52973: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.76",
+                "port": 52973
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.76#52973 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.16",
+                "port": 38153
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#38153: query: host031.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.16",
+                "port": 38153
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#38153 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.16",
+                "port": 46520
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#46520: query: host031.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.16",
+                "port": 46520
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.134",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.134",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.16#46520 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 36261
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36261: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 36261
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#36261 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.37",
+                "port": 60273
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.37#60273: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.37",
+                "port": 60273
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.37#60273 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 63397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host030.host030.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#63397 (host030.host030.example.net.): answer: host030.host030.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host030.host030.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 61978
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eas.outlook.com",
+                    "registered_domain": "outlook.com",
+                    "subdomain": "eas",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#61978: query: eas.outlook.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eas.outlook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 61978
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.office365.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eas.outlook.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.office365.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#61978 (eas.outlook.com.): answer: eas.outlook.com. IN TYPE65 (10.100.0.1) -> NOERROR 117 CNAME outlook.office365.com. 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eas.outlook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 62797
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eas.outlook.com",
+                    "registered_domain": "outlook.com",
+                    "subdomain": "eas",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#62797: query: eas.outlook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eas.outlook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 62797
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.office365.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eas.outlook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.office365.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#62797 (eas.outlook.com.): answer: eas.outlook.com. IN A (10.100.0.1) -> NOERROR 117 CNAME outlook.office365.com. 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eas.outlook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.36",
+                "port": 55473
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host032.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host032",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.36#55473: query: host032.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host032.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.36",
+                "port": 55473
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.6",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host032.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.6",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.36#55473 (host032.example.net.): answer: host032.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.6 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host032.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 63421
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph-fallback.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "graph-fallback",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#63421: query: graph-fallback.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph-fallback.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 64289
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64289: query: graph.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 64289
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.24",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.24",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64289 (graph.facebook.com.): answer: graph.facebook.com. IN A (10.100.0.1) -> NOERROR 266 CNAME star.c10r.facebook.com. 56 A 198.51.100.24 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55485
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host033",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485: query: host033.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55485
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.240",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.240",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485 (host033.example.net.): answer: host033.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.240 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55485
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host033",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485: query: host033.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55485
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55485 (host033.example.net.): answer: host033.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.73",
+                "port": 52850
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host034",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.73#52850: query: host034.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.73",
+                "port": 52850
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.73#52850 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50211
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host035",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211: query: host035.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50211
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host035",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211: query: host035.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50211
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.241",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.241",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211 (host035.example.net.): answer: host035.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.241 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50211
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50211 (host035.example.net.): answer: host035.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 55948
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "i-fallback.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "i-fallback",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#55948: query: i-fallback.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "i-fallback.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 55948
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.fallback.c10r.instagram.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.20",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "i-fallback.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.fallback.c10r.instagram.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.20",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#55948 (i-fallback.instagram.com.): answer: i-fallback.instagram.com. IN A (10.100.0.1) -> NOERROR 2008 CNAME star.fallback.c10r.instagram.com. 8 A 198.51.100.20 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "i-fallback.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 63421
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.fallback.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.19",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph-fallback.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.fallback.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.19",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#63421 (graph-fallback.facebook.com.): answer: graph-fallback.facebook.com. IN A (10.100.0.1) -> NOERROR 3182 CNAME star.fallback.c10r.facebook.com. 22 A 198.51.100.19 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph-fallback.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.183",
+                "port": 55066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dms.cm.licdn.com",
+                    "registered_domain": "licdn.com",
+                    "subdomain": "dms.cm",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#55066: query: dms.cm.licdn.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dms.cm.licdn.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.183",
+                "port": 55066
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dms-fsly.sb.lnkdns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "fs-ak-cf.dms.sb.lnkdns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dms.cm.licdn.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dms-fsly.sb.lnkdns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "fs-ak-cf.dms.sb.lnkdns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.183#55066 (dms.cm.licdn.com.): answer: dms.cm.licdn.com. IN TYPE65 (10.100.0.1) -> NOERROR 94 CNAME dms-fsly.sb.lnkdns.net. 96 CNAME fs-ak-cf.dms.sb.lnkdns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dms.cm.licdn.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.163",
+                "port": 61047
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mail.ofcggz.nl",
+                    "registered_domain": "ofcggz.nl",
+                    "subdomain": "mail",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.163#61047: query: mail.ofcggz.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.ofcggz.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 35774
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#35774: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.54",
+                "port": 35774
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.54#35774 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64710
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64710: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64710
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64710 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64711
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64711: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64711
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64711 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60040
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040: query: host037.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60040
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64712
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64712: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64712
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64712 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 54535
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#54535: query: graph.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 54535
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#54535 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 59928
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#59928: query: graph.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 59928
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.prd.ags.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.141",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.139",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.138",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.149",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.142",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.140",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.143",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.prd.ags.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.141",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.139",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.138",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.149",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.142",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.140",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.143",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#59928 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.141 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64713
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64713: query: host038.host038.host038.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64713
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64713 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 60306
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "i.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "i",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60306: query: i.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "i.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 60306
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "instagram.c10r.instagram.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.27",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "i.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "instagram.c10r.instagram.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.27",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60306 (i.instagram.com.): answer: i.instagram.com. IN A (10.100.0.1) -> NOERROR 1961 CNAME instagram.c10r.instagram.com. 36 A 198.51.100.27 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "i.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64714
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64714: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64714
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64714 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64715
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64715: query: host039.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64715
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64715 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 50146
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "res.public.onecdn.static.microsoft",
+                    "registered_domain": "static.microsoft",
+                    "subdomain": "res.public.onecdn",
+                    "top_level_domain": "microsoft",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#50146: query: res.public.onecdn.static.microsoft IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "res.public.onecdn.static.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 50146
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-ocdi-public.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.public.onecdn.static.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-ocdi-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a434.dscd.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "res.public.onecdn.static.microsoft.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-ocdi-public.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.public.onecdn.static.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-ocdi-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a434.dscd.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#50146 (res.public.onecdn.static.microsoft.): answer: res.public.onecdn.static.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 281 CNAME res-ocdi-public.trafficmanager.net. 86 CNAME res-1.public.onecdn.static.microsoft. 18 CNAME res-ocdi-stls-prod.edgesuite.net. 118 CNAME a434.dscd.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "res.public.onecdn.static.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 55040
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "res.public.onecdn.static.microsoft",
+                    "registered_domain": "static.microsoft",
+                    "subdomain": "res.public.onecdn",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#55040: query: res.public.onecdn.static.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "res.public.onecdn.static.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.39",
+                "port": 55040
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-ocdi-public.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.public.onecdn.static.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-ocdi-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a434.dscd.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.74",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.64",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.70",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.63",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.67 14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "res.public.onecdn.static.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-ocdi-public.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.public.onecdn.static.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-ocdi-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a434.dscd.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.74",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.64",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.70",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.63",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.67 14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.39#55040 (res.public.onecdn.static.microsoft.): answer: res.public.onecdn.static.microsoft. IN A (10.100.0.1) -> NOERROR 282 CNAME res-ocdi-public.trafficmanager.net. 87 CNAME res-1.public.onecdn.static.microsoft. 19 CNAME res-ocdi-stls-prod.edgesuite.net. 119 CNAME a434.dscd.akamai.net. 14 A 198.51.100.74 14 A 198.51.100.64 14 A 198.51.100.70 14 A 198.51.100.63 14 A 198.51.100.67 14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "res.public.onecdn.static.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64716
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64716: query: host039.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64716
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64716 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 53714
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "play.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "play",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#53714: query: play.google.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 56170
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "play.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "play",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#56170: query: play.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 53714
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "play.google.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#53714 (play.google.com.): answer: play.google.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 56170
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.253",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "play.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.253",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#56170 (play.google.com.): answer: play.google.com. IN A (10.100.0.1) -> NOERROR 296 A 198.51.100.253 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "play.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.116",
+                "port": 52260
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host040.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host040",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.116#52260: query: host040.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host040.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.116",
+                "port": 52260
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.233",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host040.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.233",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.116#52260 (host040.example.net.): answer: host040.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.233 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host040.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60040
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040: query: host037.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60040
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 56090
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph-fallback.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "graph-fallback",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#56090: query: graph-fallback.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph-fallback.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 56090
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.fallback.c10r.instagram.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.20",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph-fallback.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.fallback.c10r.instagram.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.20",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#56090 (graph-fallback.instagram.com.): answer: graph-fallback.instagram.com. IN A (10.100.0.1) -> NOERROR 949 CNAME star.fallback.c10r.instagram.com. 8 A 198.51.100.20 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph-fallback.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 60503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60503: query: graph.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 60503
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "instagram.c10r.instagram.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.27",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "instagram.c10r.instagram.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.27",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#60503 (graph.instagram.com.): answer: graph.instagram.com. IN A (10.100.0.1) -> NOERROR 2153 CNAME instagram.c10r.instagram.com. 36 A 198.51.100.27 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 57911
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 57911
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 57911
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.3",
+                "port": 57911
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.3#57911 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.163",
+                "port": 61047
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.108",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mail.ofcggz.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.108",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.163#61047 (mail.ofcggz.nl.): answer: mail.ofcggz.nl. IN A (10.100.0.1) -> NOERROR 60 A 198.51.100.108 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.ofcggz.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 62066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wpad.canbus.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#62066 (wpad.canbus.net.): answer: wpad.canbus.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wpad.canbus.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.96",
+                "port": 50532
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.96#50532: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.96",
+                "port": 50532
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.96#50532 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.76",
+                "port": 65177
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office365.com",
+                    "registered_domain": "office365.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.76#65177: query: outlook.office365.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office365.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.76",
+                "port": 65177
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office365.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.76#65177 (outlook.office365.com.): answer: outlook.office365.com. IN A (10.100.0.1) -> NOERROR 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.11 7 A 198.51.100.218 7 A 198.51.100.6 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office365.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 57935
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "obseu.seroundprince.com",
+                    "registered_domain": "seroundprince.com",
+                    "subdomain": "obseu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#57935: query: obseu.seroundprince.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "obseu.seroundprince.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 60255
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "obseu.seroundprince.com",
+                    "registered_domain": "seroundprince.com",
+                    "subdomain": "obseu",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#60255: query: obseu.seroundprince.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "obseu.seroundprince.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 61325
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "gsp85-ssl.ls",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61325: query: gsp85-ssl.ls.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 61325
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61325 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.88",
+                "port": 59888
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#59888: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.88",
+                "port": 59888
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#59888 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.88",
+                "port": 58317
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#58317: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.88",
+                "port": 58317
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.88#58317 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.93",
+                "port": 59023
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.93#59023: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.93",
+                "port": 59023
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.93#59023 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 49899
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "gsp85-ssl.ls",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49899: query: gsp85-ssl.ls.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 49899
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.23",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.23",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49899 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN A (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. 27 A 198.51.100.23 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 53662
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#53662: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 53662
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#53662 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60040
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host041.host041.host041",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60040
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60040 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 33835
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#33835: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 33835
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.189",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.191",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.194",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.187",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.188",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.192",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.193",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.190",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.189",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.191",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.194",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.187",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.188",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.192",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.193",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.190",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#33835 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 12 A 198.51.100.190 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 56970
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa",
+                    "registered_domain": "resolver.arpa",
+                    "subdomain": "_dns",
+                    "top_level_domain": "arpa",
+                    "type": "TYPE64"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56970: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 56970
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa.",
+                    "type": "TYPE64"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56970 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 35084
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#35084: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 35084
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#35084 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 41572
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41572: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 41572
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.190",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.189",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.191",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.194",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.187",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.188",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.192",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.193",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.190",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.189",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.191",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.194",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.187",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.188",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.192",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.193",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41572 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.190 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 50279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#50279: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 50279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#50279 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 41251
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41251: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 41251
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.188",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.192",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.193",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.190",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.189",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.191",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.194",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.187",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.188",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.192",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.193",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.190",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.189",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.191",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.194",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.187",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#41251 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 12 A 198.51.100.190 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 38988
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#38988: query: logs.eu-west-1.amazonaws.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 38988
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.189",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.191",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.194",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.187",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.188",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.192",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.193",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.190",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.189",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.191",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.194",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.187",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.188",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.192",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.193",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.190",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#38988 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.189 12 A 198.51.100.191 12 A 198.51.100.194 12 A 198.51.100.187 12 A 198.51.100.188 12 A 198.51.100.192 12 A 198.51.100.193 12 A 198.51.100.190 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 36750
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com",
+                    "registered_domain": "amazonaws.com",
+                    "subdomain": "logs.eu-west-1",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#36750: query: logs.eu-west-1.amazonaws.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.195",
+                "port": 36750
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "logs.eu-west-1.amazonaws.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.195#36750 (logs.eu-west-1.amazonaws.com.): answer: logs.eu-west-1.amazonaws.com. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "logs.eu-west-1.amazonaws.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 60255
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "obseu.seroundprince.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#60255 (obseu.seroundprince.com.): answer: obseu.seroundprince.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "obseu.seroundprince.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.106",
+                "port": 62425
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.106#62425: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.106",
+                "port": 62425
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.106#62425 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.19",
+                "port": 55292
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ctldl.windowsupdate.com",
+                    "registered_domain": "windowsupdate.com",
+                    "subdomain": "ctldl",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.19#55292: query: ctldl.windowsupdate.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ctldl.windowsupdate.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.19",
+                "port": 55292
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ctldl.windowsupdate.com.delivery.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wu-b-net.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "bg.microsoft.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.111",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.112",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ctldl.windowsupdate.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ctldl.windowsupdate.com.delivery.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wu-b-net.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "bg.microsoft.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.111",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.112",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.19#55292 (ctldl.windowsupdate.com.): answer: ctldl.windowsupdate.com. IN A (10.100.0.1) -> NOERROR 2379 CNAME ctldl.windowsupdate.com.delivery.microsoft.com. 2350 CNAME wu-b-net.trafficmanager.net. 247 CNAME bg.microsoft.map.fastly.net. 19 A 198.51.100.111 19 A 198.51.100.112 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ctldl.windowsupdate.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 56900
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls2-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "gsp85-ssl.ls2-apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56900: query: gsp85-ssl.ls2-apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls2-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 56900
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56900 (gsp85-ssl.ls2-apple.com.akadns.net.): answer: gsp85-ssl.ls2-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls2-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.126",
+                "port": 61396
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office365.com",
+                    "registered_domain": "office365.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.126#61396: query: outlook.office365.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office365.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.126",
+                "port": 61396
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office365.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.126#61396 (outlook.office365.com.): answer: outlook.office365.com. IN A (10.100.0.1) -> NOERROR 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.6 7 A 198.51.100.10 7 A 198.51.100.11 7 A 198.51.100.218 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office365.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 52542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.0.in-addr.arpa",
+                    "registered_domain": "0.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52542: query: 198.51.100.0.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.0.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 52542
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host025.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.0.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host025.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#52542 (198.51.100.0.in-addr.arpa.): answer: 198.51.100.0.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 1800 PTR host025.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.0.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54963
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54963: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54963
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54963 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.92",
+                "port": 51600
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.92#51600: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.92",
+                "port": 51600
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.92#51600 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54964
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54964: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54964
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54964 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.49",
+                "port": 49918
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#49918: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.49",
+                "port": 49918
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#49918 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54965
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54965: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54965
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54965 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54966
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54966: query: host038.host038.host038.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54966
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54966 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54967
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54967: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54967
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54967 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54968
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54968: query: host039.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54968
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54968 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54969
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54969: query: host039.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54969
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54969 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 47598
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.57.in-addr.arpa",
+                    "registered_domain": "57.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#47598: query: 198.51.100.57.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.57.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 47598
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host042.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.57.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host042.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#47598 (198.51.100.57.in-addr.arpa.): answer: 198.51.100.57.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host042.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.57.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.34",
+                "port": 59472
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.34#59472: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.34",
+                "port": 59472
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.34#59472 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53419
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53419: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53419
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53419 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.51",
+                "port": 57571
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.51#57571: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53420
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53420: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.51",
+                "port": 57571
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.51#57571 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53420
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53420 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53421
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53421: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53421
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53421 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53422
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53422: query: host038.host038.host038.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53422
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53422 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.175",
+                "port": 52298
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "config.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "config.teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.175#52298: query: config.teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "config.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.175",
+                "port": 52298
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "config.teams.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual-s-0005-teams.config.skype.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "config-teams.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "config.teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "config.teams.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual-s-0005-teams.config.skype.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "config-teams.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.175#52298 (config.teams.microsoft.com.): answer: config.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 3013 CNAME config.teams.trafficmanager.net. 47 CNAME dual-s-0005-teams.config.skype.com. 5719 CNAME config-teams.s-0005.dual-s-msedge.net. 92 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.251 25 A 198.51.100.252 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "config.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53423
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53423: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53423
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53423 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53424
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53424: query: host039.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53424
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53424 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53425
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53425: query: host039.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.45",
+                "port": 53425
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.45#53425 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.135",
+                "port": 63065
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ctldl.windowsupdate.com",
+                    "registered_domain": "windowsupdate.com",
+                    "subdomain": "ctldl",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.135#63065: query: ctldl.windowsupdate.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ctldl.windowsupdate.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.135",
+                "port": 63065
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ctldl.windowsupdate.com.delivery.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wu-b-net.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "bg.microsoft.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.111",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.112",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ctldl.windowsupdate.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ctldl.windowsupdate.com.delivery.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wu-b-net.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "bg.microsoft.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.111",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.112",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.135#63065 (ctldl.windowsupdate.com.): answer: ctldl.windowsupdate.com. IN A (10.100.0.1) -> NOERROR 2379 CNAME ctldl.windowsupdate.com.delivery.microsoft.com. 2350 CNAME wu-b-net.trafficmanager.net. 247 CNAME bg.microsoft.map.fastly.net. 19 A 198.51.100.111 19 A 198.51.100.112 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ctldl.windowsupdate.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.153",
+                "port": 49392
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cl3.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "cl3",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#49392: query: cl3.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cl3.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.23",
+                "port": 49927
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.23#49927: query: outlook.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.23",
+                "port": 49927
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.23#49927 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 7 A 198.51.100.10 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.61",
+                "port": 57029
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.snsbank.nl",
+                    "registered_domain": "snsbank.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#57029: query: www.snsbank.nl IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.snsbank.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.61",
+                "port": 54387
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.snsbank.nl",
+                    "registered_domain": "snsbank.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#54387: query: www.snsbank.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.snsbank.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.239",
+                "port": 59161
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.239#59161: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.239",
+                "port": 59161
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.239#59161 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.153",
+                "port": 65237
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cl3.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "cl3",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#65237: query: cl3.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cl3.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.76",
+                "port": 50409
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "sn.webrootcloudav.com",
+                    "registered_domain": "webrootcloudav.com",
+                    "subdomain": "sn",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.76#50409: query: sn.webrootcloudav.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "sn.webrootcloudav.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.76",
+                "port": 50409
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.20",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.225",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.21",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "sn.webrootcloudav.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.20",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.225",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.21",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.76#50409 (sn.webrootcloudav.com.): answer: sn.webrootcloudav.com. IN A (10.100.0.1) -> NOERROR 40 A 198.51.100.20 40 A 198.51.100.225 40 A 198.51.100.21 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "sn.webrootcloudav.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60043
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043: query: host037.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60043
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60043
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043: query: host037.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60043
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60043
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host041.host041.host041",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60043
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60043 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.153",
+                "port": 49392
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cl3.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#49392 (cl3.apple.com.): answer: cl3.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cl3.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.16",
+                "port": 57345
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.16#57345: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.16",
+                "port": 57345
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.16#57345 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.61",
+                "port": 57029
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.snsbank.nl.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#57029 (www.snsbank.nl.): answer: www.snsbank.nl. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.snsbank.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 49940
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host043.host043.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host043.host043",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940: query: host043.host043.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host043.host043.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 49940
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.216",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host043.host043.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.216",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940 (host043.host043.example.net.): answer: host043.host043.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.216 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host043.host043.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.35",
+                "port": 65420
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.35#65420: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.35",
+                "port": 65420
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.35#65420 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 57935
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "master.eu-west-1.prod.engine-nlb.cheqzone.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.198",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "obseu.seroundprince.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "master.eu-west-1.prod.engine-nlb.cheqzone.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.198",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#57935 (obseu.seroundprince.com.): answer: obseu.seroundprince.com. IN A (10.100.0.1) -> NOERROR 60 CNAME master.eu-west-1.prod.engine-nlb.cheqzone.com. 17 A 198.51.100.198 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "obseu.seroundprince.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.78",
+                "port": 59789
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net",
+                    "registered_domain": "windows.net",
+                    "subdomain": "enterpriseregistration",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#59789: query: enterpriseregistration.windows.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.78",
+                "port": 59789
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "na.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prdf.aadg.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.f.prd.aadg.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.213",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.150",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.215",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.152",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.151",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "40.12",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "na.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prdf.aadg.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.f.prd.aadg.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.213",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.150",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.215",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.152",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.151",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "40.12",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#59789 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.213 291 A 198.51.100.150 291 A 198.51.100.215 291 A 198.51.100.152 291 A 198.51.100.151 291 A 198.51.100.214 291 A 198.51.100.211 291 A 40.12"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.225",
+                "port": 60834
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host044.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host044",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#60834: query: host044.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host044.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.225",
+                "port": 60834
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host044.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#60834 (host044.example.net.): answer: host044.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host044.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 39477
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.81.in-addr.arpa",
+                    "registered_domain": "81.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#39477: query: 198.51.100.81.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.81.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 39477
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host045.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.81.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host045.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#39477 (198.51.100.81.in-addr.arpa.): answer: 198.51.100.81.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host045.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.81.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 7122
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-mobile.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#7122: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 7122
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#7122 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.153",
+                "port": 65237
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cl3-cdn.origin-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cl3.g.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.57",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.52",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cl3.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cl3-cdn.origin-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cl3.g.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.57",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.52",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#65237 (cl3.apple.com.): answer: cl3.apple.com. IN A (10.100.0.1) -> NOERROR 508 CNAME cl3-cdn.origin-apple.com.akadns.net. 340 CNAME cl3.g.aaplimg.com. 15 A 198.51.100.57 15 A 198.51.100.52 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cl3.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 65019
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#65019: query: dns.opendns.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 65019
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.161",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.160",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.161",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.160",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#65019 (dns.opendns.com.): answer: dns.opendns.com. IN A (10.100.0.1) -> NOERROR 2380 A 198.51.100.161 2380 A 198.51.100.160 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046: query: host037.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046: query: host037.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60046
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.64",
+                "port": 64508
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.64#64508: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.64",
+                "port": 64508
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.64#64508 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 54799
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#54799: query: doh.umbrella.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 54799
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.255",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.255",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#54799 (doh.umbrella.com.): answer: doh.umbrella.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.255 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 56344
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56344: query: doh.umbrella.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 56344
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#56344 (doh.umbrella.com.): answer: doh.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 53419
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host046.host046.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host046.host046",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#53419: query: host046.host046.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host046.host046.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 63373
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa",
+                    "registered_domain": "resolver.arpa",
+                    "subdomain": "_dns",
+                    "top_level_domain": "arpa",
+                    "type": "TYPE64"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#63373: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 63373
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa.",
+                    "type": "TYPE64"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#63373 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 49553
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49553: query: doh.opendns.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 49553
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.254",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.254",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#49553 (doh.opendns.com.): answer: doh.opendns.com. IN A (10.100.0.1) -> NOERROR 114 A 198.51.100.254 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 53419
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host047.host047.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#53419 (host047.host047.example.net.): answer: host047.host047.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host047.host047.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host041.host041.host041",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 51160
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#51160: query: doh.opendns.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 51160
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#51160 (doh.opendns.com.): answer: doh.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.138",
+                "port": 60046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.138#60046 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 57116
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#57116: query: dns.umbrella.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 57116
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.161",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.160",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.161",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.160",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#57116 (dns.umbrella.com.): answer: dns.umbrella.com. IN A (10.100.0.1) -> NOERROR 376 A 198.51.100.161 376 A 198.51.100.160 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 62393
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#62393: query: dns.umbrella.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 62393
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#62393 (dns.umbrella.com.): answer: dns.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 63904
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "master.eu-west-1.prod.engine-nlb.cheqzone.com",
+                    "registered_domain": "cheqzone.com",
+                    "subdomain": "master.eu-west-1.prod.engine-nlb",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63904: query: master.eu-west-1.prod.engine-nlb.cheqzone.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "master.eu-west-1.prod.engine-nlb.cheqzone.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 61835
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61835: query: dns.opendns.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 61835
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61835 (dns.opendns.com.): answer: dns.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 64184
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host048.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host048",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#64184: query: host048.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host048.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 64184
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host049.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#64184 (host049.example.net.): answer: host049.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host049.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 51884
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host200.internal.net",
+                    "registered_domain": "internal.net",
+                    "subdomain": "host200",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#51884: query: host200.internal.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host200.internal.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 51884
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host200.internal.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#51884 (host200.internal.net.): answer: host200.internal.net. IN A (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host200.internal.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.64",
+                "port": 53265
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#53265: query: turbo.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.64",
+                "port": 53265
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#53265 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.85",
+                "port": 61721
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.googletagmanager.com",
+                    "registered_domain": "googletagmanager.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#61721: query: www.googletagmanager.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.googletagmanager.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.85",
+                "port": 61721
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.googletagmanager.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#61721 (www.googletagmanager.com.): answer: www.googletagmanager.com. IN A (10.100.0.1) -> NOERROR 201 A 198.51.100.252 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.googletagmanager.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.129",
+                "port": 61233
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.129#61233: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.129",
+                "port": 61233
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.129#61233 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.64",
+                "port": 51746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#51746: query: turbo.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.64",
+                "port": 51746
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-b01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-b01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.64#51746 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.210 35 A 198.51.100.211 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.85",
+                "port": 65484
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.googletagmanager.com",
+                    "registered_domain": "googletagmanager.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#65484: query: www.googletagmanager.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.googletagmanager.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.85",
+                "port": 65484
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.googletagmanager.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.85#65484 (www.googletagmanager.com.): answer: www.googletagmanager.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.googletagmanager.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.227",
+                "port": 55240
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.227#55240: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.227",
+                "port": 55240
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.227#55240 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.11",
+                "port": 54043
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.11#54043: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.11",
+                "port": 54043
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.11#54043 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 63904
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "master.eu-west-1.prod.engine-nlb.cheqzone.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63904 (master.eu-west-1.prod.engine-nlb.cheqzone.com.): answer: master.eu-west-1.prod.engine-nlb.cheqzone.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "master.eu-west-1.prod.engine-nlb.cheqzone.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.221",
+                "port": 59759
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host050.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host050",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759: query: host050.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host050.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.221",
+                "port": 59759
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host050.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host050",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759: query: host050.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host050.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.61",
+                "port": 54387
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.126",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.129",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.snsbank.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.126",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.129",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.61#54387 (www.snsbank.nl.): answer: www.snsbank.nl. IN A (10.100.0.1) -> NOERROR 20 A 198.51.100.126 20 A 198.51.100.129 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.snsbank.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.221",
+                "port": 59759
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "172.16.2.65",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host051.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "172.16.2.65",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759 (host051.example.net.): answer: host051.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 172.16.2.65 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host051.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.221",
+                "port": 59759
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host051.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.221#59759 (host051.example.net.): answer: host051.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host051.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.82",
+                "port": 49540
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host034",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.82#49540: query: host034.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.82",
+                "port": 49540
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.82#49540 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.153",
+                "port": 54808
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cl3.g.aaplimg.com",
+                    "registered_domain": "aaplimg.com",
+                    "subdomain": "cl3.g",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#54808: query: cl3.g.aaplimg.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cl3.g.aaplimg.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.153",
+                "port": 54808
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cl3.g.aaplimg.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.153#54808 (cl3.g.aaplimg.com.): answer: cl3.g.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cl3.g.aaplimg.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 50405
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "test-gateway.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "test-gateway",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#50405: query: test-gateway.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "test-gateway.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 50405
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dgw-ig.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.28",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "test-gateway.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dgw-ig.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.28",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#50405 (test-gateway.instagram.com.): answer: test-gateway.instagram.com. IN A (10.100.0.1) -> NOERROR 2033 CNAME dgw-ig.c10r.facebook.com. 8 A 198.51.100.28 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "test-gateway.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.186",
+                "port": 65533
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa",
+                    "registered_domain": "113.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#65533: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.186",
+                "port": 65533
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#65533 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 64242
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gateway.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "gateway",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64242: query: gateway.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gateway.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 64242
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dgw.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.26",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gateway.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dgw.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.26",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#64242 (gateway.instagram.com.): answer: gateway.instagram.com. IN A (10.100.0.1) -> NOERROR 1212 CNAME dgw.c10r.facebook.com. 33 A 198.51.100.26 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gateway.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.186",
+                "port": 58930
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#58930: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.186",
+                "port": 58930
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#58930 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.186",
+                "port": 49738
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#49738: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.186",
+                "port": 49738
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.186#49738 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.176",
+                "port": 62054
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.176#62054: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.176",
+                "port": 62054
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.176#62054 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.184",
+                "port": 53303
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ecs.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "ecs",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.184#53303: query: ecs.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ecs.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.184",
+                "port": 53303
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ecs.office.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual-s-0005-office.config.skype.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ecs-office.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ecs.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ecs.office.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual-s-0005-office.config.skype.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ecs-office.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.184#53303 (ecs.office.com.): answer: ecs.office.com. IN A (10.100.0.1) -> NOERROR 78 CNAME ecs.office.trafficmanager.net. 7 CNAME dual-s-0005-office.config.skype.com. 8549 CNAME ecs-office.s-0005.dual-s-msedge.net. 40 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.252 25 A 198.51.100.251 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ecs.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 26652
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "api-emea.flightproxy.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "api-emea.flightproxy.teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#26652: query: api-emea.flightproxy.teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api-emea.flightproxy.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.66",
+                "port": 55371
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.66#55371: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.66",
+                "port": 55371
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.66#55371 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.75",
+                "port": 60078
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.75#60078: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.75",
+                "port": 60078
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.75#60078 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 45361
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host045.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host045",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#45361: query: host045.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host045.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 45361
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.191",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host045.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.191",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#45361 (host045.example.net.): answer: host045.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.191 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host045.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.130",
+                "port": 55301
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "v10.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.130#55301: query: v10.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.130",
+                "port": 55301
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.154",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.154",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.130#55301 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.15",
+                "port": 45859
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859: query: host031.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.15",
+                "port": 45859
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859: query: host031.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.15",
+                "port": 45859
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.134",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.134",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.15",
+                "port": 45859
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.15#45859 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.24",
+                "port": 50529
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-edit.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-edit.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#50529: query: euc-word-edit.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-edit.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.24",
+                "port": 50529
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-edit-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-edit.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-edit-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#50529 (euc-word-edit.officeapps.live.com.): answer: euc-word-edit.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 3 CNAME euc-word-edit-geo.wac.trafficmanager.net. 14 CNAME euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 20 CNAME wac-0003.wac-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-edit.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.24",
+                "port": 52993
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-edit.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-edit.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#52993: query: euc-word-edit.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-edit.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.24",
+                "port": 52993
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-edit-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-edit.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-edit-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.24#52993 (euc-word-edit.officeapps.live.com.): answer: euc-word-edit.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 3 CNAME euc-word-edit-geo.wac.trafficmanager.net. 14 CNAME euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 20 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-edit.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 48503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.tizen.org",
+                    "registered_domain": "tizen.org",
+                    "subdomain": "www",
+                    "top_level_domain": "org",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#48503: query: www.tizen.org IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.tizen.org"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 48503
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.97",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.96",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.98",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.99",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.tizen.org.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.97",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.96",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.98",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.99",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#48503 (www.tizen.org.): answer: www.tizen.org. IN A (10.100.0.1) -> NOERROR 12 A 198.51.100.97 12 A 198.51.100.96 12 A 198.51.100.98 12 A 198.51.100.99 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.tizen.org."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 15232
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host052.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host052",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#15232: query: host052.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host052.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 15232
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.2",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host052.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.2",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#15232 (host052.example.net.): answer: host052.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.2 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host052.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 46339
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host052.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host052",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#46339: query: host052.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host052.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 46339
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host052.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#46339 (host052.example.net.): answer: host052.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host052.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.101",
+                "port": 58858
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.101#58858: query: outlook.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.101",
+                "port": 58858
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.101#58858 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.11 7 A 198.51.100.10 7 A 198.51.100.6 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.200",
+                "port": 56508
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.200",
+                "port": 56508
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508: query: eu-v20.events.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.200",
+                "port": 56508
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.200",
+                "port": 56508
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.200#56508 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 49921
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host045.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host045",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#49921: query: host045.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host045.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 58342
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host053.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host053",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58342: query: host053.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host053.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 49921
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.191",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host045.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.191",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#49921 (host045.example.net.): answer: host045.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.191 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host045.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 58342
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host053.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58342 (host053.example.net.): answer: host053.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host053.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 57464
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host045.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host045",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#57464: query: host045.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host045.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.194",
+                "port": 57464
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.191",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host045.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.191",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.194#57464 (host045.example.net.): answer: host045.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.191 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host045.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 61891
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host054.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host054",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#61891: query: host054.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host054.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 61891
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host054.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#61891 (host054.example.net.): answer: host054.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host054.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 54295
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host054.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host054",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#54295: query: host054.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host054.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.4",
+                "port": 54295
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host054.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.4#54295 (host054.example.net.): answer: host054.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host054.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.52",
+                "port": 58462
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.52#58462: query: turbo.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.52",
+                "port": 58462
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-b01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-b01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.52#58462 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.30",
+                "port": 54389
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#54389: query: edge.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.30",
+                "port": 54389
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#54389 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.30",
+                "port": 49206
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#49206: query: edge.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.30",
+                "port": 49206
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ax-0002.ax-dc-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.4",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.3",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ax-0002.ax-dc-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.4",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.3",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.30#49206 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.4 5 A 198.51.100.3 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 26652
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "flightproxy-emea-teams.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ep-frce-02-prod-aks.flightproxy.teams.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-francecentral-ns-9ecb4f6d7",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "api-emea.flightproxy.teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "flightproxy-emea-teams.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ep-frce-02-prod-aks.flightproxy.teams.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-francecentral-ns-9ecb4f6d7",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#26652 (api-emea.flightproxy.teams.microsoft.com.): answer: api-emea.flightproxy.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 43017 CNAME flightproxy-emea-teams.trafficmanager.net. 19 CNAME ep-frce-02-prod-aks.flightproxy.teams.microsoft.com. 10202 CNAME epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net. 4 CNAME cosmic-francecentral-ns-9ecb4f6d7"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api-emea.flightproxy.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.48",
+                "port": 52031
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "r4.res.office365.com",
+                    "registered_domain": "office365.com",
+                    "subdomain": "r4.res",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#52031: query: r4.res.office365.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "r4.res.office365.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.48",
+                "port": 52031
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "r4.res.office365.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e40491.dscg.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.125",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.131",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "r4.res.office365.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "r4.res.office365.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e40491.dscg.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.125",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.131",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#52031 (r4.res.office365.com.): answer: r4.res.office365.com. IN A (10.100.0.1) -> NOERROR 219 CNAME r4.res.office365.com.edgekey.net. 9 CNAME e40491.dscg.akamaiedge.net. 12 A 198.51.100.125 12 A 198.51.100.131 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "r4.res.office365.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.27",
+                "port": 55201
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.27#55201: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.27",
+                "port": 55201
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.27#55201 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.50",
+                "port": 49235
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.50#49235: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.50",
+                "port": 49235
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.50#49235 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.66",
+                "port": 57679
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#57679: query: eu-teams.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.66",
+                "port": 57679
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#57679 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.2",
+                "port": 63480
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.35.in-addr.arpa",
+                    "registered_domain": "35.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.2#63480: query: 198.51.100.35.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.35.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.2",
+                "port": 63480
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host055.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.35.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host055.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.2#63480 (198.51.100.35.in-addr.arpa.): answer: 198.51.100.35.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host055.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.35.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.231",
+                "port": 62453
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.231#62453: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.66",
+                "port": 50834
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#50834: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.66",
+                "port": 50834
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.66#50834 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.231",
+                "port": 62453
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.231#62453 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.162",
+                "port": 55408
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "web.whatsapp.com",
+                    "registered_domain": "whatsapp.com",
+                    "subdomain": "web",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#55408: query: web.whatsapp.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "web.whatsapp.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.162",
+                "port": 55408
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mmx-ds.cdn.whatsapp.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "web.whatsapp.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mmx-ds.cdn.whatsapp.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#55408 (web.whatsapp.com.): answer: web.whatsapp.com. IN TYPE65 (10.100.0.1) -> NOERROR 3419 CNAME mmx-ds.cdn.whatsapp.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "web.whatsapp.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.162",
+                "port": 56602
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "web.whatsapp.com",
+                    "registered_domain": "whatsapp.com",
+                    "subdomain": "web",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#56602: query: web.whatsapp.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "web.whatsapp.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.162",
+                "port": 56602
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mmx-ds.cdn.whatsapp.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.32",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "web.whatsapp.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mmx-ds.cdn.whatsapp.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.32",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.162#56602 (web.whatsapp.com.): answer: web.whatsapp.com. IN A (10.100.0.1) -> NOERROR 3419 CNAME mmx-ds.cdn.whatsapp.net. 2 A 198.51.100.32 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "web.whatsapp.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.91",
+                "port": 54359
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "nexusrules.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "nexusrules.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.91#54359: query: nexusrules.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "nexusrules.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.91",
+                "port": 54359
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod.nexusrules.live.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "nexusrules.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod.nexusrules.live.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.91#54359 (nexusrules.officeapps.live.com.): answer: nexusrules.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 2687 CNAME prod.nexusrules.live.com.akadns.net. 23 A 198.51.100.249 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "nexusrules.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 47173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173: query: host013.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 47173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173: query: host013.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 47173
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.217",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.217",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 47173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#47173 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.32",
+                "port": 52762
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net",
+                    "registered_domain": "windows.net",
+                    "subdomain": "enterpriseregistration",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.32#52762: query: enterpriseregistration.windows.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.32",
+                "port": 52762
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "na.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prdf.aadg.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.f.prd.aadg.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.152",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.151",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.212",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.213",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.150",
+                        "type": "A"
+                    },
+                    {
+                        "data": "40.12",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "na.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prdf.aadg.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.f.prd.aadg.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.152",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.151",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.212",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.213",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.150",
+                                "type": "A"
+                            },
+                            {
+                                "data": "40.12",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.32#52762 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.152 291 A 198.51.100.151 291 A 198.51.100.214 291 A 198.51.100.211 291 A 198.51.100.212 291 A 198.51.100.213 291 A 198.51.100.150 291 A 40.12"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 62034
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#62034: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 62034
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#62034 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.140",
+                "port": 61255
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host004.host004.host004.host004",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.140",
+                "port": 61255
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 40005
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.209.in-addr.arpa",
+                    "registered_domain": "209.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#40005: query: 198.51.100.209.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.209.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 40005
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host056.host056.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.209.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host056.host056.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#40005 (198.51.100.209.in-addr.arpa.): answer: 198.51.100.209.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host056.host056.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.209.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.140",
+                "port": 61255
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host005",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255: query: host005.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.140",
+                "port": 61255
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.228",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.228",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.140#61255 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 31651
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "go-eu.trouter.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "go-eu.trouter.teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31651: query: go-eu.trouter.teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "go-eu.trouter.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 31651
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "trouter-atm-pub-ent-emea.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pub-ent-euwe-07-t.trouter.teams.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-westeurope-ns-b80c4716b71c.traffic",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "go-eu.trouter.teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "trouter-atm-pub-ent-emea.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pub-ent-euwe-07-t.trouter.teams.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-westeurope-ns-b80c4716b71c.traffic",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31651 (go-eu.trouter.teams.microsoft.com.): answer: go-eu.trouter.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 1421 CNAME trouter-atm-pub-ent-emea.trafficmanager.net. 7 CNAME pub-ent-euwe-07-t.trouter.teams.microsoft.com. 2072 CNAME partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net. 9 CNAME cosmic-westeurope-ns-b80c4716b71c.traffic"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "go-eu.trouter.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.61",
+                "port": 57103
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu.recent.svc.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "eu.recent.svc",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#57103: query: eu.recent.svc.cloud.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu.recent.svc.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.61",
+                "port": 57103
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eudb.ocws1.live.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "recent-prod-weightedww.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.241",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.237",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.239",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.240",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu.recent.svc.cloud.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eudb.ocws1.live.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "recent-prod-weightedww.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.241",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.237",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.239",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.240",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#57103 (eu.recent.svc.cloud.microsoft.): answer: eu.recent.svc.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 337 CNAME eudb.ocws1.live.com.akadns.net. 49 CNAME recent-prod-weightedww.trafficmanager.net. 30 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.241 9 A 198.51.100.237 9 A 198.51.100.239 9 A 198.51.100.240 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu.recent.svc.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.1",
+                "port": 48515
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.35.in-addr.arpa",
+                    "registered_domain": "35.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.1#48515: query: 198.51.100.35.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.35.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.1",
+                "port": 48515
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host055.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.35.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host055.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.1#48515 (198.51.100.35.in-addr.arpa.): answer: 198.51.100.35.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host055.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.35.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.30",
+                "port": 54545
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "js.monitor.azure.com",
+                    "registered_domain": "azure.com",
+                    "subdomain": "js.monitor",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#54545: query: js.monitor.azure.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "js.monitor.azure.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.30",
+                "port": 54545
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-z01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "js.monitor.azure.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-z01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#54545 (js.monitor.azure.com.): answer: js.monitor.azure.com. IN A (10.100.0.1) -> NOERROR 21 CNAME aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net. 44 CNAME mr-z01.tm-azurefd.net. 40 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "js.monitor.azure.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.30",
+                "port": 56147
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "js.monitor.azure.com",
+                    "registered_domain": "azure.com",
+                    "subdomain": "js.monitor",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#56147: query: js.monitor.azure.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "js.monitor.azure.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.30",
+                "port": 56147
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "js.monitor.azure.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.30#56147 (js.monitor.azure.com.): answer: js.monitor.azure.com. IN TYPE65 (10.100.0.1) -> NOERROR 52 CNAME aijscdn2-bwfdfxezdubebtb0.z01.azurefd.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "js.monitor.azure.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.63",
+                "port": 56741
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "geover.prod.do.dsp.mp.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "geover.prod.do.dsp.mp",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.63#56741: query: geover.prod.do.dsp.mp.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "geover.prod.do.dsp.mp.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.63",
+                "port": 56741
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "geover.prod.do.dsp.mp.microsoft.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e10370.d.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.182",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "geover.prod.do.dsp.mp.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "geover.prod.do.dsp.mp.microsoft.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e10370.d.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.182",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.63#56741 (geover.prod.do.dsp.mp.microsoft.com.): answer: geover.prod.do.dsp.mp.microsoft.com. IN A (10.100.0.1) -> NOERROR 3565 CNAME geover.prod.do.dsp.mp.microsoft.com.edgekey.net. 5363 CNAME e10370.d.akamaiedge.net. 20 A 198.51.100.182 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "geover.prod.do.dsp.mp.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.7",
+                "port": 51716
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.7#51716: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.7",
+                "port": 51716
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.7#51716 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 53510
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "api-emea.flightproxy.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "api-emea.flightproxy.teams",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#53510: query: api-emea.flightproxy.teams.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api-emea.flightproxy.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 51443
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 51443
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 51443
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443: query: eu-v20.events.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.223",
+                "port": 51443
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.223#51443 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 49738
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#49738: query: edge.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 49738
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#49738 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.77",
+                "port": 53488
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host019",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#53488: query: host019.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.77",
+                "port": 53488
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.8",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.8",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#53488 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 62995
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#62995: query: edge.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 62995
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ax-0002.ax-dc-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.3",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.4",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ax-0002.ax-dc-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.3",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.4",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#62995 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.3 5 A 198.51.100.4 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.145",
+                "port": 58032
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58032: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.145",
+                "port": 58032
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58032 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.41",
+                "port": 56120
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "v10.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.41#56120: query: v10.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.41",
+                "port": 56120
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.154",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.154",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.41#56120 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.27",
+                "port": 58099
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.27#58099: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.27",
+                "port": 58099
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.27#58099 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.77",
+                "port": 55627
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host022.host022.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host022.host022",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#55627: query: host022.host022.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host022.host022.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.77",
+                "port": 55627
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host023.host023.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.77#55627 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host023.host023.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 53510
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "flightproxy-emea-teams.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ep-frce-02-prod-aks.flightproxy.teams.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-francecentral-ns-9ecb4f",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "api-emea.flightproxy.teams.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "flightproxy-emea-teams.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ep-frce-02-prod-aks.flightproxy.teams.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-francecentral-ns-9ecb4f",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#53510 (api-emea.flightproxy.teams.microsoft.com.): answer: api-emea.flightproxy.teams.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 43017 CNAME flightproxy-emea-teams.trafficmanager.net. 19 CNAME ep-frce-02-prod-aks.flightproxy.teams.microsoft.com. 10202 CNAME epx.frce-02.ic3-calling-enterpriseproxy.francecentral-prod.cosmic.office.net. 4 CNAME cosmic-francecentral-ns-9ecb4f"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api-emea.flightproxy.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.214",
+                "port": 62206
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.service-now.com",
+                    "registered_domain": "service-now.com",
+                    "subdomain": "testorg",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.214#62206: query: testorg.service-now.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.service-now.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.214",
+                "port": 62206
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.service-now.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.214#62206 (testorg.service-now.com.): answer: testorg.service-now.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.service-now.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.67",
+                "port": 52009
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.67#52009: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.67",
+                "port": 52009
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.67#52009 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50858
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host057.host057.host057.host057.host057.host057.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host057.host057.host057.host057.host057.host057",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858: query: host057.host057.host057.host057.host057.host057.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host057.host057.host057.host057.host057.host057.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host058.host058.host058.host058.host058.host058.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host058.host058.host058.host058.host058.host058",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731: query: host058.host058.host058.host058.host058.host058.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host058.host058.host058.host058.host058.host058.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 56071
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host057.host057.host057.host057.host057.host057.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host057.host057.host057.host057.host057.host057",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071: query: host057.host057.host057.host057.host057.host057.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host057.host057.host057.host057.host057.host057.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50858
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 88 host034.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host059.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host005.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host060.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host061.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 dc5.example.ne",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "_kerberos._tcp.Centrum-Locatie._sites.dc._msdcs.EXAMPLE.NET.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 88 host034.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host059.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host005.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host060.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host061.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 dc5.example.ne",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858 (_kerberos._tcp.Centrum-Locatie._sites.dc._msdcs.EXAMPLE.NET.): answer: _kerberos._tcp.Centrum-Locatie._sites.dc._msdcs.EXAMPLE.NET. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 88 host034.example.net. 600 SRV 0 100 88 host059.example.net. 600 SRV 0 100 88 host005.example.net. 600 SRV 0 100 88 host060.example.net. 600 SRV 0 100 88 host061.example.net. 600 SRV 0 100 88 dc5.example.ne"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_kerberos._tcp.Centrum-Locatie._sites.dc._msdcs.EXAMPLE.NET."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50731
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host063.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host059.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host060.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host061.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host034.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host062.host062.host062.host062.host062.host062.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host063.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host059.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host060.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host061.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host034.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731 (host062.host062.host062.host062.host062.host062.example.net.): answer: host062.host062.host062.host062.host062.host062.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host063.example.net. 600 SRV 0 100 389 host059.example.net. 600 SRV 0 100 389 host060.example.net. 600 SRV 0 100 389 host005.example.net. 600 SRV 0 100 389 host061.example.net. 600 SRV 0 100 389 host034.example.net."
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host062.host062.host062.host062.host062.host062.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 56071
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 88 host060.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host005.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host063.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host034.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 host059.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 88 dc4.example.ne",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host064.host064.host064.host064.host064.host064.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 88 host060.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host005.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host063.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host034.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 host059.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 88 dc4.example.ne",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071 (host064.host064.host064.host064.host064.host064.example.net.): answer: host064.host064.host064.host064.host064.host064.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 88 host060.example.net. 600 SRV 0 100 88 host005.example.net. 600 SRV 0 100 88 host063.example.net. 600 SRV 0 100 88 host034.example.net. 600 SRV 0 100 88 host059.example.net. 600 SRV 0 100 88 dc4.example.ne"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host064.host064.host064.host064.host064.host064.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 3264
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "go-eu.trouter.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "go-eu.trouter.teams",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#3264: query: go-eu.trouter.teams.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "go-eu.trouter.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 3264
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "trouter-atm-pub-ent-emea.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pub-ent-euwe-07-t.trouter.teams.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-westeurope-ns-b80c4716b71c.traff",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "go-eu.trouter.teams.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "trouter-atm-pub-ent-emea.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pub-ent-euwe-07-t.trouter.teams.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-westeurope-ns-b80c4716b71c.traff",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#3264 (go-eu.trouter.teams.microsoft.com.): answer: go-eu.trouter.teams.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 1421 CNAME trouter-atm-pub-ent-emea.trafficmanager.net. 7 CNAME pub-ent-euwe-07-t.trouter.teams.microsoft.com. 2072 CNAME partition-cname-trouter.pub-ent-euwe-07.ic3-edf-trouter.westeurope-prod.cosmic.office.net. 9 CNAME cosmic-westeurope-ns-b80c4716b71c.traff"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "go-eu.trouter.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.40",
+                "port": 58484
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#58484: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.40",
+                "port": 58484
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#58484 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.40",
+                "port": 55140
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#55140: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.40",
+                "port": 55140
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.40#55140 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.128",
+                "port": 60586
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "wise-m.public.cdn",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#60586: query: wise-m.public.cdn.office.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.128",
+                "port": 60586
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-prod.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.cdn.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a726.dscd.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-prod.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.cdn.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a726.dscd.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#60586 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 172 CNAME res-prod.trafficmanager.net. 103 CNAME res-1.cdn.office.net. 96 CNAME res-stls-prod.edgesuite.net. 221 CNAME a726.dscd.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.25",
+                "port": 58988
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cmp.nu.nl",
+                    "registered_domain": "nu.nl",
+                    "subdomain": "cmp",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.25#58988: query: cmp.nu.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cmp.nu.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.25",
+                "port": 58988
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cdn-1294-2.privacy-mgmt.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cmp.nu.nl.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cdn-1294-2.privacy-mgmt.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.25#58988 (cmp.nu.nl.): answer: cmp.nu.nl. IN A (10.100.0.1) -> NXDOMAIN 211 CNAME cdn-1294-2.privacy-mgmt.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cmp.nu.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.128",
+                "port": 57141
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "wise-m.public.cdn",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#57141: query: wise-m.public.cdn.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.128",
+                "port": 57141
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-prod.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.cdn.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a726.dscd.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.68",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.65",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.75",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.71",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.73",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.70",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.67",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.59",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-prod.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.cdn.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a726.dscd.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.68",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.65",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.75",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.71",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.73",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.70",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.67",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.59",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.128#57141 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN A (10.100.0.1) -> NOERROR 171 CNAME res-prod.trafficmanager.net. 102 CNAME res-1.cdn.office.net. 95 CNAME res-stls-prod.edgesuite.net. 220 CNAME a726.dscd.akamai.net. 9 A 198.51.100.68 9 A 198.51.100.65 9 A 198.51.100.75 9 A 198.51.100.71 9 A 198.51.100.73 9 A 198.51.100.70 9 A 198.51.100.67 9 A 198.51.100.59"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.53",
+                "port": 55065
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.53#55065: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.53",
+                "port": 55065
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.53#55065 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.93",
+                "port": 57169
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.93#57169: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.93",
+                "port": 57169
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.93#57169 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.106",
+                "port": 56240
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#56240: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.106",
+                "port": 50850
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#50850: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.106",
+                "port": 56240
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#56240 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.106",
+                "port": 50850
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.106#50850 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 31030
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "emea.cc.skype.com",
+                    "registered_domain": "skype.com",
+                    "subdomain": "emea.cc",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31030: query: emea.cc.skype.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "emea.cc.skype.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 53010
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl",
+                    "registered_domain": "zorgdoc.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#53010: query: www.zorgdoc.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 53010
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.205",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.206",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.205",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.206",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#53010 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.205 23 A 198.51.100.206 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 55250
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl",
+                    "registered_domain": "zorgdoc.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#55250: query: www.zorgdoc.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 55250
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.206",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.206",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#55250 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.206 23 A 198.51.100.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.48",
+                "port": 53231
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "f58cbbd478574eb99f3a5435625ea88f.fp.measure",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#53231: query: f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 51520
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl",
+                    "registered_domain": "zorgdoc.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#51520: query: www.zorgdoc.nl IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.115",
+                "port": 54066
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.115#54066: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.115",
+                "port": 54066
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.115#54066 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55442
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host033",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442: query: host033.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55442
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host033",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442: query: host033.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55442
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.240",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.240",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442 (host033.example.net.): answer: host033.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.240 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 55442
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host033.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#55442 (host033.example.net.): answer: host033.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host033.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 65503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl",
+                    "registered_domain": "zorgdoc.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#65503: query: www.zorgdoc.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 65503
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.206",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.206",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#65503 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.206 23 A 198.51.100.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 22708
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "emea.cc.skype.com",
+                    "registered_domain": "skype.com",
+                    "subdomain": "emea.cc",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#22708: query: emea.cc.skype.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "emea.cc.skype.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 22708
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cc-emea-skype.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cc-euno-03-prod-aks.cc.skype.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-northeurope-ns-896c43260b21.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "emea.cc.skype.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cc-emea-skype.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cc-euno-03-prod-aks.cc.skype.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-northeurope-ns-896c43260b21.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#22708 (emea.cc.skype.com.): answer: emea.cc.skype.com. IN AAAA (10.100.0.1) -> NOERROR 70345 CNAME cc-emea-skype.trafficmanager.net. 1 CNAME cc-euno-03-prod-aks.cc.skype.com. 775 CNAME callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net. 2 CNAME cosmic-northeurope-ns-896c43260b21.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "emea.cc.skype.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.209",
+                "port": 53657
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.209#53657: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.209",
+                "port": 53657
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.209#53657 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50998
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host035",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998: query: host035.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50998
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.241",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.241",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998 (host035.example.net.): answer: host035.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.241 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50998
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host035",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998: query: host035.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.21",
+                "port": 50998
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host035.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.21#50998 (host035.example.net.): answer: host035.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host035.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.206",
+                "port": 49233
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mdav.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "mdav.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.206#49233: query: mdav.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mdav.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.206",
+                "port": 49233
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-atm-epp-eu.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip0.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.157",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mdav.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-atm-epp-eu.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip0.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.157",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.206#49233 (mdav.eu.endpoint.security.microsoft.com.): answer: mdav.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 106 CNAME md-prod-simcon-atm-epp-eu.trafficmanager.net. 269 CNAME md-prod-simcon-ip0.westeurope.cloudapp.azure.com. 1 A 198.51.100.157 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mdav.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50858
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host005",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858: query: host005.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50858
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.228",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.228",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50858 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 56071
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host034",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071: query: host034.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 56071
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#56071 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.138",
+                "port": 31030
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cc-emea-skype.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cc-euno-03-prod-aks.cc.skype.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-northeurope-ns-896c43260b21.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.254",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "emea.cc.skype.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cc-emea-skype.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cc-euno-03-prod-aks.cc.skype.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-northeurope-ns-896c43260b21.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.254",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.138#31030 (emea.cc.skype.com.): answer: emea.cc.skype.com. IN A (10.100.0.1) -> NOERROR 70345 CNAME cc-emea-skype.trafficmanager.net. 1 CNAME cc-euno-03-prod-aks.cc.skype.com. 775 CNAME callcontroller.euno-03.ic3-calling-callcontroller.northeurope-prod.cosmic.office.net. 2 CNAME cosmic-northeurope-ns-896c43260b21.trafficmanager.net. 10 A 198.51.100.254 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "emea.cc.skype.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.168",
+                "port": 53265
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.168#53265: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.168",
+                "port": 53265
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.168#53265 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.10",
+                "port": 58615
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host029.host029.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host029.host029",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#58615: query: host029.host029.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host029.host029.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.10",
+                "port": 58615
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.29",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host029.host029.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.29",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#58615 (host029.host029.example.net.): answer: host029.host029.example.net. IN A (10.100.0.1) -> NOERROR 0 A 10.1.1.29 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host029.host029.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.148",
+                "port": 51520
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.zorgdoc.nl.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.148#51520 (www.zorgdoc.nl.): answer: www.zorgdoc.nl. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.zorgdoc.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.63",
+                "port": 61608
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.63#61608: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.63",
+                "port": 61608
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.63#61608 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.48",
+                "port": 53231
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.8",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.217",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.219",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.221",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.220",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.9",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.222",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.7",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.8",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.217",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.219",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.221",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.220",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.9",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.222",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.7",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.48#53231 (f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com.): answer: f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com. IN A (10.100.0.1) -> NOERROR 10 A 198.51.100.8 10 A 198.51.100.217 10 A 198.51.100.219 10 A 198.51.100.221 10 A 198.51.100.220 10 A 198.51.100.9 10 A 198.51.100.222 10 A 198.51.100.7 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "f58cbbd478574eb99f3a5435625ea88f.fp.measure.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.145",
+                "port": 58539
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58539: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 58080
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host046.host046.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host046.host046",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58080: query: host046.host046.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host046.host046.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.145",
+                "port": 58539
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.145#58539 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 58080
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host047.host047.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58080 (host047.host047.example.net.): answer: host047.host047.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host047.host047.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.166",
+                "port": 59261
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ecs.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "ecs",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.166#59261: query: ecs.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ecs.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.166",
+                "port": 59261
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ecs.office.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual-s-0005-office.config.skype.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ecs-office.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ecs.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ecs.office.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual-s-0005-office.config.skype.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ecs-office.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.166#59261 (ecs.office.com.): answer: ecs.office.com. IN A (10.100.0.1) -> NOERROR 78 CNAME ecs.office.trafficmanager.net. 7 CNAME dual-s-0005-office.config.skype.com. 8549 CNAME ecs-office.s-0005.dual-s-msedge.net. 40 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.252 25 A 198.51.100.251 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ecs.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 58046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host048.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host048",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58046: query: host048.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host048.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 58046
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host049.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58046 (host049.example.net.): answer: host049.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host049.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.153",
+                "port": 51183
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host065.host065.host065.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host065.host065.host065",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.153#51183: query: host065.host065.host065.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host065.host065.host065.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.153",
+                "port": 51183
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host065.host065.host065.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.153#51183 (host065.host065.host065.example.net.): answer: host065.host065.host065.example.net. IN SRV (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host065.host065.host065.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 58556
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host200.internal.net",
+                    "registered_domain": "internal.net",
+                    "subdomain": "host200",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58556: query: host200.internal.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host200.internal.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.66",
+                "port": 58556
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host200.internal.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.66#58556 (host200.internal.net.): answer: host200.internal.net. IN A (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host200.internal.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.109",
+                "port": 47787
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "v2.api.relayrobotics.com",
+                    "registered_domain": "relayrobotics.com",
+                    "subdomain": "v2.api",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.109#47787: query: v2.api.relayrobotics.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v2.api.relayrobotics.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.109",
+                "port": 47787
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ghs.googlehosted.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.237",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "v2.api.relayrobotics.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ghs.googlehosted.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.237",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.109#47787 (v2.api.relayrobotics.com.): answer: v2.api.relayrobotics.com. IN A (10.100.0.1) -> NOERROR 85 CNAME ghs.googlehosted.com. 38 A 198.51.100.237 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v2.api.relayrobotics.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.102",
+                "port": 57705
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.17.in-addr.arpa",
+                    "registered_domain": "17.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.102#57705: query: 198.51.100.17.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.17.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.102",
+                "port": 57705
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host066.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.17.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host066.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.102#57705 (198.51.100.17.in-addr.arpa.): answer: 198.51.100.17.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 600 PTR host066.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.17.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 47132
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host067.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host067",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#47132: query: host067.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host067.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 51746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host068.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host068",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#51746: query: host068.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host068.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 18582
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host067.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host067",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#18582: query: host067.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host067.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 33065
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host068.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host068",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#33065: query: host068.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host068.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 47132
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host067.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#47132 (host067.example.net.): answer: host067.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host067.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 51746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host068.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#51746 (host068.example.net.): answer: host068.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host068.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 33065
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.248",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host068.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.248",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#33065 (host068.example.net.): answer: host068.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.248 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host068.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.249",
+                "port": 18582
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.247",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host067.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.247",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.249#18582 (host067.example.net.): answer: host067.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.247 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host067.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.147",
+                "port": 61653
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#61653: query: substrate.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.147",
+                "port": 61653
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#61653 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.11 7 A 198.51.100.10 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.31",
+                "port": 59583
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#59583: query: graph.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.31",
+                "port": 59583
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#59583 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.31",
+                "port": 58527
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#58527: query: graph.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.31",
+                "port": 58527
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.prd.ags.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.139",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.138",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.149",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.142",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.140",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.143",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.141",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.prd.ags.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.139",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.138",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.149",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.142",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.140",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.143",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.141",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.31#58527 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.147",
+                "port": 53202
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#53202: query: substrate.office.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.147",
+                "port": 53202
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.147#53202 (substrate.office.com.): answer: substrate.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.192",
+                "port": 42720
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.192",
+                "port": 42720
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.192",
+                "port": 42720
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.192",
+                "port": 42720
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.192#42720 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 60631
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ams-efz.ms-acdc.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "ams-efz.ms-acdc",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#60631: query: ams-efz.ms-acdc.office.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ams-efz.ms-acdc.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 60631
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ams-efz.ms-acdc.office.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#60631 (ams-efz.ms-acdc.office.com.): answer: ams-efz.ms-acdc.office.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ams-efz.ms-acdc.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 55919
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.v.aaplimg.com",
+                    "registered_domain": "aaplimg.com",
+                    "subdomain": "iphone-ld.v",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#55919: query: iphone-ld.v.aaplimg.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.v.aaplimg.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.187",
+                "port": 55919
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.v.aaplimg.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.187#55919 (iphone-ld.v.aaplimg.com.): answer: iphone-ld.v.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.v.aaplimg.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.81",
+                "port": 57911
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office365.com",
+                    "registered_domain": "office365.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.81#57911: query: outlook.office365.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office365.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.81",
+                "port": 57911
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office365.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.81#57911 (outlook.office365.com.): answer: outlook.office365.com. IN A (10.100.0.1) -> NOERROR 220 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.10 7 A 198.51.100.11 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office365.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 32109
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.acm.org",
+                    "registered_domain": "acm.org",
+                    "subdomain": "www",
+                    "top_level_domain": "org",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#32109: query: www.acm.org IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.acm.org"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 32109
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.202",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.203",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.acm.org.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.202",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.203",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#32109 (www.acm.org.): answer: www.acm.org. IN A (10.100.0.1) -> NOERROR 0 A 198.51.100.202 0 A 198.51.100.203 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.acm.org."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.248",
+                "port": 59653
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.38.in-addr.arpa",
+                    "registered_domain": "38.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.248#59653: query: 198.51.100.38.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.38.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.248",
+                "port": 59653
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host069.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.38.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host069.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.248#59653 (198.51.100.38.in-addr.arpa.): answer: 198.51.100.38.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host069.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.38.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.129",
+                "port": 65483
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "officeclient.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "officeclient",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.129#65483: query: officeclient.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "officeclient.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.129",
+                "port": 65483
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "config.officeapps.live.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod.configsvc1.live.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "europe.configsvc1.live.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "config-prod-weightedww.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.239",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.240",
+                        "type": "A"
+                    },
+                    {
+                        "data": "52",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "officeclient.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "config.officeapps.live.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod.configsvc1.live.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "europe.configsvc1.live.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "config-prod-weightedww.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.239",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.240",
+                                "type": "A"
+                            },
+                            {
+                                "data": "52",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.129#65483 (officeclient.microsoft.com.): answer: officeclient.microsoft.com. IN A (10.100.0.1) -> NOERROR 858 CNAME config.officeapps.live.com. 903 CNAME prod.configsvc1.live.com.akadns.net. 11 CNAME europe.configsvc1.live.com.akadns.net. 249 CNAME config-prod-weightedww.trafficmanager.net. 54 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.239 9 A 198.51.100.240 9 A 52"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "officeclient.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.247",
+                "port": 16032
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.38.in-addr.arpa",
+                    "registered_domain": "38.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.247#16032: query: 198.51.100.38.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.38.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.247",
+                "port": 16032
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host069.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.38.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host069.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.247#16032 (198.51.100.38.in-addr.arpa.): answer: 198.51.100.38.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host069.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.38.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.119",
+                "port": 64021
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "exo.nel.measure.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "exo.nel.measure",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#64021: query: exo.nel.measure.office.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "exo.nel.measure.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 58298
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298: query: host013.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 58298
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298: query: host013.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.119",
+                "port": 64021
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "nel.measure.office.net.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1894.dscb.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "exo.nel.measure.office.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "nel.measure.office.net.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1894.dscb.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#64021 (exo.nel.measure.office.net.): answer: exo.nel.measure.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 26 CNAME nel.measure.office.net.edgesuite.net. 5050 CNAME a1894.dscb.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "exo.nel.measure.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 58298
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.217",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.217",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 58298
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#58298 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.119",
+                "port": 55172
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "exo.nel.measure.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "exo.nel.measure",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#55172: query: exo.nel.measure.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "exo.nel.measure.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.119",
+                "port": 55172
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "nel.measure.office.net.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1894.dscb.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.114",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.116",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "exo.nel.measure.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "nel.measure.office.net.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1894.dscb.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.114",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.116",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.119#55172 (exo.nel.measure.office.net.): answer: exo.nel.measure.office.net. IN A (10.100.0.1) -> NOERROR 26 CNAME nel.measure.office.net.edgesuite.net. 5050 CNAME a1894.dscb.akamai.net. 15 A 198.51.100.114 15 A 198.51.100.116 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "exo.nel.measure.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.51",
+                "port": 52406
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.service-now.com",
+                    "registered_domain": "service-now.com",
+                    "subdomain": "testorg",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.51#52406: query: testorg.service-now.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.service-now.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.51",
+                "port": 52406
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.service-now.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.51#52406 (testorg.service-now.com.): answer: testorg.service-now.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.service-now.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.12",
+                "port": 41022
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "192.0.2.3.in-addr.arpa",
+                    "registered_domain": "3.in-addr.arpa",
+                    "subdomain": "192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.12#41022: query: 192.0.2.3.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "192.0.2.3.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.12",
+                "port": 41022
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "localhost.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "192.0.2.3.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "localhost.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.12#41022 (192.0.2.3.in-addr.arpa.): answer: 192.0.2.3.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 142247 PTR localhost. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "192.0.2.3.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.154",
+                "port": 14516
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.gtv-fleks.nl",
+                    "registered_domain": "gtv-fleks.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#14516: query: www.gtv-fleks.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.gtv-fleks.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.114",
+                "port": 10011
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#10011: query: graph.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.114",
+                "port": 10011
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.24",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.24",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#10011 (graph.facebook.com.): answer: graph.facebook.com. IN A (10.100.0.1) -> NOERROR 266 CNAME star.c10r.facebook.com. 56 A 198.51.100.24 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.80",
+                "port": 51202
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "studio-playerapi.competence.biz",
+                    "registered_domain": "competence.biz",
+                    "subdomain": "studio-playerapi",
+                    "top_level_domain": "biz",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.80#51202: query: studio-playerapi.competence.biz IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "studio-playerapi.competence.biz"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.201",
+                "port": 33202
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.201",
+                "port": 33202
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.201",
+                "port": 33202
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.201",
+                "port": 33202
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.201#33202 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 49472
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "b._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "b._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#49472: query: b._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "b._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 49472
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "b._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#49472 (b._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: b._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "b._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 60209
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60209: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 61189
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "e6858.dsce9.akamaiedge.net",
+                    "registered_domain": "akamaiedge.net",
+                    "subdomain": "e6858.dsce9",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#61189: query: e6858.dsce9.akamaiedge.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "e6858.dsce9.akamaiedge.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 61189
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.181",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "e6858.dsce9.akamaiedge.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.181",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#61189 (e6858.dsce9.akamaiedge.net.): answer: e6858.dsce9.akamaiedge.net. IN A (10.100.0.1) -> NOERROR 13 A 198.51.100.181 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "e6858.dsce9.akamaiedge.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 52790
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#52790: query: www.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 52790
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "www-apple-com.v.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.apple.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e6858.dsce9.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.181",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "www-apple-com.v.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.apple.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e6858.dsce9.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.181",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#52790 (www.apple.com.): answer: www.apple.com. IN A (10.100.0.1) -> NOERROR 222 CNAME www-apple-com.v.aaplimg.com. 119 CNAME www.apple.com.edgekey.net. 157 CNAME e6858.dsce9.akamaiedge.net. 13 A 198.51.100.181 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 65351
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host070.host070.host070.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host070.host070.host070",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65351: query: host070.host070.host070.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host070.host070.host070.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 60209
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60209 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 64543
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "api.apple-cloudkit.fe2.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "api.apple-cloudkit.fe2",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64543: query: api.apple-cloudkit.fe2.apple-dns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api.apple-cloudkit.fe2.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 64543
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.50",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.49",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "api.apple-cloudkit.fe2.apple-dns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.50",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.49",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64543 (api.apple-cloudkit.fe2.apple-dns.net.): answer: api.apple-cloudkit.fe2.apple-dns.net. IN A (10.100.0.1) -> NOERROR 87 A 198.51.100.50 87 A 198.51.100.49 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api.apple-cloudkit.fe2.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 65351
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host070.host070.host070.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65351 (host070.host070.host070.example.net.): answer: host070.host070.host070.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host070.host070.host070.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 55941
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "atc.spotify.map.fastly.net",
+                    "registered_domain": "map.fastly.net",
+                    "subdomain": "atc.spotify",
+                    "top_level_domain": "fastly.net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55941: query: atc.spotify.map.fastly.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "atc.spotify.map.fastly.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 55941
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.7",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.12",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.15",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "atc.spotify.map.fastly.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.7",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.12",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.15",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55941 (atc.spotify.map.fastly.net.): answer: atc.spotify.map.fastly.net. IN A (10.100.0.1) -> NOERROR 0 A 198.51.100.7 0 A 198.51.100.10 0 A 198.51.100.12 0 A 198.51.100.15 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "atc.spotify.map.fastly.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 60701
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host071.host071.host071.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host071.host071.host071",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60701: query: host071.host071.host071.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host071.host071.host071.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 60701
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host071.host071.host071.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#60701 (host071.host071.host071.example.net.): answer: host071.host071.host071.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host071.host071.host071.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 65313
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "us-sandbox-courier-4.push-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "us-sandbox-courier-4.push-apple.com",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65313: query: us-sandbox-courier-4.push-apple.com.akadns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "us-sandbox-courier-4.push-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 65313
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.29",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.25",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.26",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.28",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.24",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.27",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.31",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.30",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "us-sandbox-courier-4.push-apple.com.akadns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.29",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.25",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.26",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.28",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.24",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.27",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.31",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.30",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#65313 (us-sandbox-courier-4.push-apple.com.akadns.net.): answer: us-sandbox-courier-4.push-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 23 A 198.51.100.29 23 A 198.51.100.25 23 A 198.51.100.26 23 A 198.51.100.28 23 A 198.51.100.24 23 A 198.51.100.27 23 A 198.51.100.31 23 A 198.51.100.30 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "us-sandbox-courier-4.push-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 64776
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "e6858.dsce9.akamaiedge.net",
+                    "registered_domain": "akamaiedge.net",
+                    "subdomain": "e6858.dsce9",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64776: query: e6858.dsce9.akamaiedge.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "e6858.dsce9.akamaiedge.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 64776
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.181",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "e6858.dsce9.akamaiedge.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.181",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64776 (e6858.dsce9.akamaiedge.net.): answer: e6858.dsce9.akamaiedge.net. IN A (10.100.0.1) -> NOERROR 13 A 198.51.100.181 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "e6858.dsce9.akamaiedge.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 64431
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "db._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "db._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64431: query: db._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "db._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 64431
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "db._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#64431 (db._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: db._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "db._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 58042
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "1.courier-push-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "1.courier-push-apple.com",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#58042: query: 1.courier-push-apple.com.akadns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "1.courier-push-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 58042
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-nw-courier-4.push-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.33",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.38",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.37",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.34",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.36",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.35",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.32",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "1.courier-push-apple.com.akadns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-nw-courier-4.push-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.33",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.38",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.37",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.34",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.36",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.35",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.32",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#58042 (1.courier-push-apple.com.akadns.net.): answer: 1.courier-push-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 4 CNAME eu-nw-courier-4.push-apple.com.akadns.net. 22 A 198.51.100.33 22 A 198.51.100.38 22 A 198.51.100.37 22 A 198.51.100.34 22 A 198.51.100.36 22 A 198.51.100.35 22 A 198.51.100.32 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "1.courier-push-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 55795
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55795: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 59833
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-dealer.g2.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-dealer.g2",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#59833: query: gew4-dealer.g2.spotify.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-dealer.g2.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 59833
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gew4-dealer-ssl.spotify.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-dealer.g2.spotify.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gew4-dealer-ssl.spotify.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#59833 (gew4-dealer.g2.spotify.com.): answer: gew4-dealer.g2.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 64 CNAME gew4-dealer-ssl.spotify.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-dealer.g2.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.80",
+                "port": 51202
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "app-studio-playerapi-prod.azurewebsites.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-am2-719.sip.azurewebsites.windows.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-am2-719-c1d4.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.136",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "studio-playerapi.competence.biz.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "app-studio-playerapi-prod.azurewebsites.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-am2-719.sip.azurewebsites.windows.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-am2-719-c1d4.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.136",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.80#51202 (studio-playerapi.competence.biz.): answer: studio-playerapi.competence.biz. IN A (10.100.0.1) -> NOERROR 10 CNAME app-studio-playerapi-prod.azurewebsites.net. 10 CNAME waws-prod-am2-719.sip.azurewebsites.windows.net. 10 CNAME waws-prod-am2-719-c1d4.westeurope.cloudapp.azure.com. 2 A 198.51.100.136 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "studio-playerapi.competence.biz."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 55795
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#55795 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 53056
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-dealer.g2.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-dealer.g2",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#53056: query: gew4-dealer.g2.spotify.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-dealer.g2.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 53056
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gew4-dealer-ssl.spotify.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.203",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-dealer.g2.spotify.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gew4-dealer-ssl.spotify.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.203",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#53056 (gew4-dealer.g2.spotify.com.): answer: gew4-dealer.g2.spotify.com. IN A (10.100.0.1) -> NOERROR 63 CNAME gew4-dealer-ssl.spotify.com. 26 A 198.51.100.203 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-dealer.g2.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.160",
+                "port": 63912
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.weixin.qq.com.cn",
+                    "registered_domain": "qq.com.cn",
+                    "subdomain": "dns.weixin",
+                    "top_level_domain": "com.cn",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63912: query: dns.weixin.qq.com.cn IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.weixin.qq.com.cn"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.160",
+                "port": 63912
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.224",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.223",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.weixin.qq.com.cn.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.224",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.223",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63912 (dns.weixin.qq.com.cn.): answer: dns.weixin.qq.com.cn. IN A (10.100.0.1) -> NOERROR 106 A 198.51.100.224 106 A 198.51.100.223 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.weixin.qq.com.cn."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.142",
+                "port": 64168
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.cp.wd.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.cp.wd",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.142#64168: query: europe.cp.wd.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.cp.wd.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.142",
+                "port": 64168
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "wd-prod-cp-eu.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.227",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.cp.wd.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "wd-prod-cp-eu.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.227",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.142#64168 (europe.cp.wd.microsoft.com.): answer: europe.cp.wd.microsoft.com. IN A (10.100.0.1) -> NOERROR 982 CNAME wd-prod-cp-eu.trafficmanager.net. 208 CNAME wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com. 5 A 198.51.100.227 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.cp.wd.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 60866
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dgw.c10r.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "dgw.c10r",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#60866: query: dgw.c10r.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dgw.c10r.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 60866
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.26",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dgw.c10r.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.26",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#60866 (dgw.c10r.facebook.com.): answer: dgw.c10r.facebook.com. IN A (10.100.0.1) -> NOERROR 32 A 198.51.100.26 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dgw.c10r.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 56846
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mqtt.c10r.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "mqtt.c10r",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56846: query: mqtt.c10r.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mqtt.c10r.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 56846
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.25",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mqtt.c10r.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.25",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56846 (mqtt.c10r.facebook.com.): answer: mqtt.c10r.facebook.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.25 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mqtt.c10r.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.154",
+                "port": 1878
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eur.loki.delve.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "eur.loki.delve",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#1878: query: eur.loki.delve.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eur.loki.delve.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.154",
+                "port": 1878
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "loki-atm-prod-eur.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eur.fxgateway.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mira-cmn.tm-4.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.166",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.174",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.172",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.171",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.167",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.168",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.176",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.177",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eur.loki.delve.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "loki-atm-prod-eur.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eur.fxgateway.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mira-cmn.tm-4.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.166",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.174",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.172",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.171",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.167",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.168",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.176",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.177",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#1878 (eur.loki.delve.office.com.): answer: eur.loki.delve.office.com. IN A (10.100.0.1) -> NOERROR 74 CNAME loki-atm-prod-eur.trafficmanager.net. 13 CNAME eur.fxgateway.svc.cloud.microsoft. 76 CNAME mira-cmn.tm-4.office.com. 0 A 198.51.100.166 0 A 198.51.100.174 0 A 198.51.100.172 0 A 198.51.100.171 0 A 198.51.100.167 0 A 198.51.100.168 0 A 198.51.100.176 0 A 198.51.100.177 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eur.loki.delve.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.49",
+                "port": 56058
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#56058: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.49",
+                "port": 56058
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.49#56058 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 22877
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host072.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host072",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#22877: query: host072.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host072.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.34",
+                "port": 59946
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-mobile.events.data",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#59946: query: eu-mobile.events.data.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 22877
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host072.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#22877 (host072.example.net.): answer: host072.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host072.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.34",
+                "port": 59946
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#59946 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host002.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host002",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host002.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host002.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host002.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host002.example.net.): answer: host002.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host002.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 41595
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host072.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host072",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#41595: query: host072.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host072.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 41595
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.254",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host072.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.254",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#41595 (host072.example.net.): answer: host072.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.254 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host072.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.34",
+                "port": 63717
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-mobile.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#63717: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.34",
+                "port": 63717
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.34#63717 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 45026
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host073.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host073",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#45026: query: host073.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host073.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 45026
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host073.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#45026 (host073.example.net.): answer: host073.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host073.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 52316
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "star.c10r.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "star.c10r",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52316: query: star.c10r.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "star.c10r.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 52316
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.24",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "star.c10r.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.24",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52316 (star.c10r.facebook.com.): answer: star.c10r.facebook.com. IN A (10.100.0.1) -> NOERROR 55 A 198.51.100.24 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "star.c10r.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.56",
+                "port": 56153
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.56#56153: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.56",
+                "port": 56153
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.56#56153 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 36524
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host074.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host074",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#36524: query: host074.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host074.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.145",
+                "port": 62532
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ocsp2.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "ocsp2",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#62532: query: ocsp2.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ocsp2.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.145",
+                "port": 62532
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ocsp2.g.aaplimg.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ocsp2.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ocsp2.g.aaplimg.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#62532 (ocsp2.apple.com.): answer: ocsp2.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 313 CNAME ocsp2.g.aaplimg.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ocsp2.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 36524
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host074.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#36524 (host074.example.net.): answer: host074.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host074.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.145",
+                "port": 50127
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ocsp2.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "ocsp2",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#50127: query: ocsp2.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ocsp2.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.145",
+                "port": 50127
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ocsp2.g.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.57",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.52",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.56",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ocsp2.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ocsp2.g.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.57",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.52",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.56",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#50127 (ocsp2.apple.com.): answer: ocsp2.apple.com. IN A (10.100.0.1) -> NOERROR 313 CNAME ocsp2.g.aaplimg.com. 13 A 198.51.100.57 13 A 198.51.100.52 13 A 198.51.100.56 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ocsp2.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 33233
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33233: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 33233
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33233 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 43494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host075.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host075",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43494: query: host075.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host075.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 43494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host075.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43494 (host075.example.net.): answer: host075.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host075.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 33029
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host008.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host008",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33029: query: host008.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host008.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 33029
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host008.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#33029 (host008.example.net.): answer: host008.example.net. IN A (10.100.0.1) -> NOERROR 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host008.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 53960
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host076.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host076",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#53960: query: host076.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host076.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.137",
+                "port": 61593
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.137#61593: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.137",
+                "port": 61593
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.137#61593 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 53960
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host076.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#53960 (host076.example.net.): answer: host076.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host076.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 52213
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#52213: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 52213
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#52213 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 57423
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#57423: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 44765
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host077.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host077",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#44765: query: host077.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host077.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 57423
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#57423 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 37392
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host077.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host077",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#37392: query: host077.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host077.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 44765
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.253",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host077.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.253",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#44765 (host077.example.net.): answer: host077.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.253 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host077.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 65048
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "app-analytics-services.com",
+                    "registered_domain": "app-analytics-services.com",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#65048: query: app-analytics-services.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "app-analytics-services.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 65048
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.109",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "app-analytics-services.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.109",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#65048 (app-analytics-services.com.): answer: app-analytics-services.com. IN A (10.100.0.1) -> NOERROR 201 A 198.51.100.109 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "app-analytics-services.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 58370
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa",
+                    "registered_domain": "113.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#58370: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.167",
+                "port": 58370
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.167#58370 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 37392
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host077.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#37392 (host077.example.net.): answer: host077.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host077.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 57750
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host078.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host078",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57750: query: host078.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host078.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 57750
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host078.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57750 (host078.example.net.): answer: host078.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host078.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 38698
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host079.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host079",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#38698: query: host079.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host079.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 38698
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host079.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#38698 (host079.example.net.): answer: host079.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host079.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 59608
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host080.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host080",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59608: query: host080.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host080.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 59608
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host080.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59608 (host080.example.net.): answer: host080.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host080.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.95",
+                "port": 61842
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.95#61842: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.95",
+                "port": 61842
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.155",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.155",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.95#61842 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 57340
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host081.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host081",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57340: query: host081.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host081.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 57340
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host081.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#57340 (host081.example.net.): answer: host081.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host081.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.225",
+                "port": 62845
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host082.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host082",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#62845: query: host082.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host082.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.225",
+                "port": 62845
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host082.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.225#62845 (host082.example.net.): answer: host082.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host082.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host011.host011.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host011.host011",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host011.host011.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host011.host011.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host011.host011.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host011.host011.example.net.): answer: host011.host011.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host011.host011.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 50368
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "wise-m.public.cdn",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#50368: query: wise-m.public.cdn.office.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 50368
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-prod.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.cdn.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a726.dscd.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-prod.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.cdn.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a726.dscd.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#50368 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 172 CNAME res-prod.trafficmanager.net. 103 CNAME res-1.cdn.office.net. 96 CNAME res-stls-prod.edgesuite.net. 221 CNAME a726.dscd.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 60819
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "wise-m.public.cdn",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60819: query: wise-m.public.cdn.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 60819
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "res-prod.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-1.cdn.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "res-stls-prod.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a726.dscd.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.75",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.71",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.73",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.70",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.67",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.61",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.63",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.68",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "wise-m.public.cdn.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "res-prod.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-1.cdn.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "res-stls-prod.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a726.dscd.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.75",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.71",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.73",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.70",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.67",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.61",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.63",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.68",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60819 (wise-m.public.cdn.office.net.): answer: wise-m.public.cdn.office.net. IN A (10.100.0.1) -> NOERROR 171 CNAME res-prod.trafficmanager.net. 102 CNAME res-1.cdn.office.net. 95 CNAME res-stls-prod.edgesuite.net. 220 CNAME a726.dscd.akamai.net. 9 A 198.51.100.75 9 A 198.51.100.71 9 A 198.51.100.73 9 A 198.51.100.70 9 A 198.51.100.67 9 A 198.51.100.61 9 A 198.51.100.63 9 A 198.51.100.68"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wise-m.public.cdn.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 48250
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host083.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host083",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48250: query: host083.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host083.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 48250
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host083.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48250 (host083.example.net.): answer: host083.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host083.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 48825
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host084.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host084",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48825: query: host084.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host084.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 60330
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-excel.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60330: query: euc-excel.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 51758
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-excel.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#51758: query: euc-excel.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 60330
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-excel-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-excel-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#60330 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 49 CNAME euc-excel-geo.wac.trafficmanager.net. 55 CNAME euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 44 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.235 17 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.94",
+                "port": 51758
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-excel-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-excel-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.94#51758 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 50 CNAME euc-excel-geo.wac.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 48825
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host084.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#48825 (host084.example.net.): answer: host084.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host084.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 50987
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-dealer-ssl.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-dealer-ssl",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#50987: query: gew4-dealer-ssl.spotify.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-dealer-ssl.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.157",
+                "port": 50987
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-dealer-ssl.spotify.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.157#50987 (gew4-dealer-ssl.spotify.com.): answer: gew4-dealer-ssl.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-dealer-ssl.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 56510
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host085.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host085",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56510: query: host085.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host085.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 56510
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host085.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56510 (host085.example.net.): answer: host085.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host085.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 48620
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.23.in-addr.arpa",
+                    "registered_domain": "23.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#48620: query: 198.51.100.23.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.23.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 48620
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host077.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.23.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host077.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#48620 (198.51.100.23.in-addr.arpa.): answer: 198.51.100.23.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host077.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.23.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 40677
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host086.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host086",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#40677: query: host086.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host086.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 40677
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host086.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#40677 (host086.example.net.): answer: host086.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host086.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 52044
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host087",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#52044: query: host087.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 52044
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#52044 (host087.example.net.): answer: host087.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 56682
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host088.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host088",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56682: query: host088.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host088.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.162",
+                "port": 53596
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#53596: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 45525
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host087",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#45525: query: host087.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 56682
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host088.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#56682 (host088.example.net.): answer: host088.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host088.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.162",
+                "port": 53596
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#53596 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.254",
+                "port": 45525
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.255",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.255",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.254#45525 (host087.example.net.): answer: host087.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.255 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.162",
+                "port": 56221
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#56221: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.162",
+                "port": 64124
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa",
+                    "registered_domain": "113.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#64124: query: lb._dns-sd._udp.198.51.100.113.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.162",
+                "port": 64124
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.113.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#64124 (lb._dns-sd._udp.198.51.100.113.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.113.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.113.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.162",
+                "port": 56221
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.162#56221 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 59798
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host089.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host089",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59798: query: host089.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host089.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 59798
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host089.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#59798 (host089.example.net.): answer: host089.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host089.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 41456
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host090.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host090",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41456: query: host090.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host090.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 41456
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host090.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41456 (host090.example.net.): answer: host090.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host090.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 41941
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host091.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host091",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41941: query: host091.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host091.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 41941
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host091.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#41941 (host091.example.net.): answer: host091.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host091.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 58281
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host092.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host092",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58281: query: host092.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host092.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 58281
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host092.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#58281 (host092.example.net.): answer: host092.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host092.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 53919
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host087",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#53919: query: host087.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 35807
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host087",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#35807: query: host087.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 53919
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.255",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.255",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#53919 (host087.example.net.): answer: host087.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.255 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 35807
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host087.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#35807 (host087.example.net.): answer: host087.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host087.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.145",
+                "port": 59556
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ocsp2.g.aaplimg.com",
+                    "registered_domain": "aaplimg.com",
+                    "subdomain": "ocsp2.g",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#59556: query: ocsp2.g.aaplimg.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ocsp2.g.aaplimg.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.145",
+                "port": 59556
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ocsp2.g.aaplimg.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.145#59556 (ocsp2.g.aaplimg.com.): answer: ocsp2.g.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ocsp2.g.aaplimg.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 33174
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host093.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host093",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#33174: query: host093.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host093.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 33174
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host093.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#33174 (host093.example.net.): answer: host093.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host093.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host020.host020.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host020.host020",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host020.host020.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host020.host020.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host020.host020.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host020.host020.example.net.): answer: host020.host020.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host020.host020.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.154",
+                "port": 14516
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gtv-fleks.nl.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.56",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.gtv-fleks.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gtv-fleks.nl.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.56",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.154#14516 (www.gtv-fleks.nl.): answer: www.gtv-fleks.nl. IN A (10.100.0.1) -> NOERROR 60 CNAME gtv-fleks.nl. 60 A 198.51.100.56 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.gtv-fleks.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.43",
+                "port": 60529
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ctldl.windowsupdate.com",
+                    "registered_domain": "windowsupdate.com",
+                    "subdomain": "ctldl",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.43#60529: query: ctldl.windowsupdate.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ctldl.windowsupdate.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.43",
+                "port": 60529
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ctldl.windowsupdate.com.delivery.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wu-b-net.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "bg.microsoft.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.112",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.111",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ctldl.windowsupdate.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ctldl.windowsupdate.com.delivery.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wu-b-net.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "bg.microsoft.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.112",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.111",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.43#60529 (ctldl.windowsupdate.com.): answer: ctldl.windowsupdate.com. IN A (10.100.0.1) -> NOERROR 2379 CNAME ctldl.windowsupdate.com.delivery.microsoft.com. 2350 CNAME wu-b-net.trafficmanager.net. 247 CNAME bg.microsoft.map.fastly.net. 19 A 198.51.100.112 19 A 198.51.100.111 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ctldl.windowsupdate.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 47471
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host094.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host094",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47471: query: host094.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host094.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 47471
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host094.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47471 (host094.example.net.): answer: host094.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host094.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 34785
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host095.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host095",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#34785: query: host095.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host095.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 34785
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host095.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#34785 (host095.example.net.): answer: host095.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host095.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 23764
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.36.in-addr.arpa",
+                    "registered_domain": "36.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#23764: query: 198.51.100.36.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.36.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.253",
+                "port": 23764
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host072.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.36.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host072.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.253#23764 (198.51.100.36.in-addr.arpa.): answer: 198.51.100.36.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host072.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.36.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 55384
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipagave.azurewebsites.net",
+                    "registered_domain": "azurewebsites.net",
+                    "subdomain": "ipagave",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#55384: query: ipagave.azurewebsites.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipagave.azurewebsites.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 55384
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "waws-prod-dm1-013.vip.azurewebsites.windows.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipagave.azurewebsites.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "waws-prod-dm1-013.vip.azurewebsites.windows.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#55384 (ipagave.azurewebsites.net.): answer: ipagave.azurewebsites.net. IN TYPE65 (10.100.0.1) -> NOERROR 1017 CNAME waws-prod-dm1-013.vip.azurewebsites.windows.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipagave.azurewebsites.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 57943
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipagave.azurewebsites.net",
+                    "registered_domain": "azurewebsites.net",
+                    "subdomain": "ipagave",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#57943: query: ipagave.azurewebsites.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipagave.azurewebsites.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 57943
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "waws-prod-dm1-013.vip.azurewebsites.windows.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "waws-prod-dm1-013.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.216",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipagave.azurewebsites.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "waws-prod-dm1-013.vip.azurewebsites.windows.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "waws-prod-dm1-013.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.216",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#57943 (ipagave.azurewebsites.net.): answer: ipagave.azurewebsites.net. IN A (10.100.0.1) -> NOERROR 1017 CNAME waws-prod-dm1-013.vip.azurewebsites.windows.net. 21 CNAME waws-prod-dm1-013.centralus.cloudapp.azure.com. 1 A 198.51.100.216 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipagave.azurewebsites.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 54097
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host096.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host096",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#54097: query: host096.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host096.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 53931
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "addin.insights.static.microsoft",
+                    "registered_domain": "static.microsoft",
+                    "subdomain": "addin.insights",
+                    "top_level_domain": "microsoft",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53931: query: addin.insights.static.microsoft IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "addin.insights.static.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 53931
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "addin.insights.static.microsoft.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53931 (addin.insights.static.microsoft.): answer: addin.insights.static.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 157 CNAME agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "addin.insights.static.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.111",
+                "port": 60952
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.msftncsi.com",
+                    "registered_domain": "msftncsi.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.111#60952: query: dns.msftncsi.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.msftncsi.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.111",
+                "port": 60952
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.215",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.msftncsi.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.215",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.111#60952 (dns.msftncsi.com.): answer: dns.msftncsi.com. IN A (10.100.0.1) -> NOERROR 8 A 198.51.100.215 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.msftncsi.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 54097
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host096.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#54097 (host096.example.net.): answer: host096.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host096.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 37600
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host097.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host097",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#37600: query: host097.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host097.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 49224
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "addin.insights.static.microsoft",
+                    "registered_domain": "static.microsoft",
+                    "subdomain": "addin.insights",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#49224: query: addin.insights.static.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "addin.insights.static.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 49224
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-b01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "addin.insights.static.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-b01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#49224 (addin.insights.static.microsoft.): answer: addin.insights.static.microsoft. IN A (10.100.0.1) -> NOERROR 157 CNAME agave-prod-afd-d5fmb2bnhpffbrbu.b01.azurefd.net. 25 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.210 35 A 198.51.100.211 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "addin.insights.static.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 37600
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host097.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#37600 (host097.example.net.): answer: host097.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host097.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 47390
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host098.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host098",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47390: query: host098.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host098.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 47390
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host098.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#47390 (host098.example.net.): answer: host098.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host098.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 55646
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host099.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host099",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#55646: query: host099.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host099.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 55646
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host099.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#55646 (host099.example.net.): answer: host099.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host099.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 35632
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host100.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host100",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#35632: query: host100.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host100.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 35632
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host100.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#35632 (host100.example.net.): answer: host100.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host100.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 52494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host101.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host101",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#52494: query: host101.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host101.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 52494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host101.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#52494 (host101.example.net.): answer: host101.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host101.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 43828
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host102.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host102",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43828: query: host102.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host102.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.255",
+                "port": 36019
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.36.in-addr.arpa",
+                    "registered_domain": "36.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#36019: query: 198.51.100.36.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.36.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.134",
+                "port": 43828
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host102.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.134#43828 (host102.example.net.): answer: host102.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host102.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.255",
+                "port": 36019
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host072.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.36.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host072.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#36019 (198.51.100.36.in-addr.arpa.): answer: 198.51.100.36.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host072.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.36.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host024.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host024",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host024.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host024.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host024.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host024.example.net.): answer: host024.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host024.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.69",
+                "port": 53821
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.69#53821: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.69",
+                "port": 53821
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.69#53821 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.159",
+                "port": 61850
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "a1854.casalemedia.com",
+                    "registered_domain": "casalemedia.com",
+                    "subdomain": "a1854",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#61850: query: a1854.casalemedia.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "a1854.casalemedia.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.255",
+                "port": 17520
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.23.in-addr.arpa",
+                    "registered_domain": "23.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#17520: query: 198.51.100.23.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.23.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.98",
+                "port": 52482
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.cp.wd.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.cp.wd",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.98#52482: query: europe.cp.wd.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.cp.wd.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.98",
+                "port": 52482
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "wd-prod-cp-eu.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.227",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.cp.wd.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "wd-prod-cp-eu.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.227",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.98#52482 (europe.cp.wd.microsoft.com.): answer: europe.cp.wd.microsoft.com. IN A (10.100.0.1) -> NOERROR 982 CNAME wd-prod-cp-eu.trafficmanager.net. 208 CNAME wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com. 5 A 198.51.100.227 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.cp.wd.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.255",
+                "port": 17520
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host077.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.23.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host077.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.255#17520 (198.51.100.23.in-addr.arpa.): answer: 198.51.100.23.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host077.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.23.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.159",
+                "port": 59616
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "a1854.casalemedia.com",
+                    "registered_domain": "casalemedia.com",
+                    "subdomain": "a1854",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#59616: query: a1854.casalemedia.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "a1854.casalemedia.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.25",
+                "port": 57594
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host103.host103.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host103.host103",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.25#57594: query: host103.host103.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host103.host103.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.25",
+                "port": 57594
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.26",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host103.host103.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.26",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.25#57594 (host103.host103.example.net.): answer: host103.host103.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.26 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host103.host103.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host026.host026.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host026.host026",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host026.host026.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host026.host026.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host026.host026.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host026.host026.example.net.): answer: host026.host026.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host026.host026.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.70",
+                "port": 57664
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.70#57664: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.159",
+                "port": 61850
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "a1854.casalemedia.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#61850 (a1854.casalemedia.com.): answer: a1854.casalemedia.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "a1854.casalemedia.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.70",
+                "port": 57664
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.70#57664 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 56130
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "star.fallback.c10r.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "star.fallback.c10r",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56130: query: star.fallback.c10r.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "star.fallback.c10r.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 56130
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.20",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "star.fallback.c10r.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.20",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#56130 (star.fallback.c10r.instagram.com.): answer: star.fallback.c10r.instagram.com. IN A (10.100.0.1) -> NOERROR 8 A 198.51.100.20 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "star.fallback.c10r.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.159",
+                "port": 59616
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.53",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "a1854.casalemedia.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.53",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.159#59616 (a1854.casalemedia.com.): answer: a1854.casalemedia.com. IN A (10.100.0.1) -> NOERROR 2554 A 198.51.100.53 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "a1854.casalemedia.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.188",
+                "port": 27352
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#27352: query: www.google.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.188",
+                "port": 27352
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#27352 (www.google.com.): answer: www.google.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.119",
+                "port": 56834
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "27-courier.push.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "27-courier.push",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.119#56834: query: 27-courier.push.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "27-courier.push.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.119",
+                "port": 56834
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "27.courier-push-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu-nw-courier-4.push-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.35",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.38",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.32",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.37",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.36",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.33",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.34",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "27-courier.push.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "27.courier-push-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu-nw-courier-4.push-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.35",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.38",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.32",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.37",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.36",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.33",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.34",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.119#56834 (27-courier.push.apple.com.): answer: 27-courier.push.apple.com. IN A (10.100.0.1) -> NOERROR 6530 CNAME 27.courier-push-apple.com.akadns.net. 51 CNAME eu-nw-courier-4.push-apple.com.akadns.net. 22 A 198.51.100.35 22 A 198.51.100.38 22 A 198.51.100.32 22 A 198.51.100.37 22 A 198.51.100.36 22 A 198.51.100.33 22 A 198.51.100.34 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "27-courier.push.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.108",
+                "port": 63521
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.108#63521: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.108",
+                "port": 63521
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.155",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.155",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.108#63521 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.113",
+                "port": 52557
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "settings-win.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "settings-win.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.113#52557: query: settings-win.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "settings-win.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.113",
+                "port": 52557
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "atm-settingsfe-prod-geo2.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "settings-prod-weu-1.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.231",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "settings-win.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "atm-settingsfe-prod-geo2.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "settings-prod-weu-1.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.231",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.113#52557 (settings-win.data.microsoft.com.): answer: settings-win.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 454 CNAME atm-settingsfe-prod-geo2.trafficmanager.net. 1 CNAME settings-prod-weu-1.westeurope.cloudapp.azure.com. 2 A 198.51.100.231 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "settings-win.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.188",
+                "port": 22173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#22173: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.188",
+                "port": 22173
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.188#22173 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 53568
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cdns.eu1.gigya.com",
+                    "registered_domain": "gigya.com",
+                    "subdomain": "cdns.eu1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568: query: cdns.eu1.gigya.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdns.eu1.gigya.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 62386
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.tui.nl",
+                    "registered_domain": "tui.nl",
+                    "subdomain": "www",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386: query: www.tui.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.tui.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 62386
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "www.tui.nl-v1.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e116189.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.130",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.127",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.tui.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "www.tui.nl-v1.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e116189.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.130",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.127",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386 (www.tui.nl.): answer: www.tui.nl. IN A (10.100.0.1) -> NOERROR 49 CNAME www.tui.nl-v1.edgekey.net. 645 CNAME e116189.dsca.akamaiedge.net. 0 A 198.51.100.130 0 A 198.51.100.127 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.tui.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 62730
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "z-p42-chat-e2ee-ig.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "z-p42-chat-e2ee-ig",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#62730: query: z-p42-chat-e2ee-ig.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "z-p42-chat-e2ee-ig.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 62730
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "chat-e2ee-ig-p42.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.30",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "z-p42-chat-e2ee-ig.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "chat-e2ee-ig-p42.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.30",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#62730 (z-p42-chat-e2ee-ig.facebook.com.): answer: z-p42-chat-e2ee-ig.facebook.com. IN A (10.100.0.1) -> NOERROR 2994 CNAME chat-e2ee-ig-p42.c10r.facebook.com. 36 A 198.51.100.30 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "z-p42-chat-e2ee-ig.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 54985
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "benelph.de",
+                    "registered_domain": "benelph.de",
+                    "top_level_domain": "de",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#54985: query: benelph.de IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "benelph.de"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.13",
+                "port": 65356
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#65356: query: eu-office.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.144",
+                "port": 54084
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#54084: query: mask.icloud.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.13",
+                "port": 65356
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#65356 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.144",
+                "port": 54084
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#54084 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.144",
+                "port": 64991
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#64991: query: mask.icloud.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.144",
+                "port": 64991
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#64991 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.13",
+                "port": 51416
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#51416: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.13",
+                "port": 51416
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.155",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.155",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.13#51416 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 49816
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49816: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 49816
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49816 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.55",
+                "port": 60563
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pages.plasticsurgery.org",
+                    "registered_domain": "plasticsurgery.org",
+                    "subdomain": "pages",
+                    "top_level_domain": "org",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.55#60563: query: pages.plasticsurgery.org IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pages.plasticsurgery.org"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 63448
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "benelph.de",
+                    "registered_domain": "benelph.de",
+                    "top_level_domain": "de",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63448: query: benelph.de IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "benelph.de"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host028.host028.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host028.host028",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host028.host028.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host028.host028.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host028.host028.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host028.host028.example.net.): answer: host028.host028.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host028.host028.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.5",
+                "port": 61023
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.5#61023: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.5",
+                "port": 61023
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.5#61023 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 54985
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "benelph.de.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#54985 (benelph.de.): answer: benelph.de. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "benelph.de."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 49196
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49196: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 49196
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49196 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56229
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56229: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56229
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56229 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 63331
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "brwsrfrm.com",
+                    "registered_domain": "brwsrfrm.com",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63331: query: brwsrfrm.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "brwsrfrm.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51967
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "clients.config.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "clients.config",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51967: query: clients.config.office.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "clients.config.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51967
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "atm.common.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "clients.config.office.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "atm.common.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51967 (clients.config.office.net.): answer: clients.config.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 205 CNAME cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft. 14 CNAME atm.common.mira.tm.svc.cloud.microsoft. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "clients.config.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 64591
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "clients.config.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "clients.config",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#64591: query: clients.config.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "clients.config.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 64591
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "atm.common.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.175",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.169",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.170",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.173",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "clients.config.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "atm.common.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.175",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.169",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.170",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.173",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#64591 (clients.config.office.net.): answer: clients.config.office.net. IN A (10.100.0.1) -> NOERROR 205 CNAME cloudpolicyclientsconfig.originmira.tm.svc.cloud.microsoft. 14 CNAME atm.common.mira.tm.svc.cloud.microsoft. 3 A 198.51.100.175 3 A 198.51.100.169 3 A 198.51.100.170 3 A 198.51.100.173 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "clients.config.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 63448
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.232",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.222",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.226",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.229",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.234",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.225",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.223",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.217",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.219",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.221",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.224",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.227",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.216",
+                        "type": "A"
+                    },
+                    {
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "benelph.de.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.232",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.222",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.226",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.229",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.234",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.225",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.223",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.217",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.219",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.221",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.224",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.227",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.216",
+                                "type": "A"
+                            },
+                            {
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63448 (benelph.de.): answer: benelph.de. IN A (10.100.0.1) -> NOERROR 264 A 198.51.100.232 264 A 198.51.100.222 264 A 198.51.100.226 264 A 198.51.100.229 264 A 198.51.100.234 264 A 198.51.100.225 264 A 198.51.100.235 264 A 198.51.100.223 264 A 198.51.100.217 264 A 198.51.100.219 264 A 198.51.100.221 264 A 198.51.100.218 264 A 198.51.100.224 264 A 198.51.100.227 264 A 198.51.100.216 264 A"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "benelph.de."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 55028
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55028: query: edge.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 52867
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52867: query: edge.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 55028
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55028 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 52867
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ax-0002.ax-dc-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.3",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.4",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ax-0002.ax-dc-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.3",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.4",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52867 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.3 5 A 198.51.100.4 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 53035
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53035: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.96",
+                "port": 59390
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#59390: query: teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.96",
+                "port": 59390
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "teams.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "tmc-g2.tm-4.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "teams-office-com.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "teams.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "tmc-g2.tm-4.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "teams-office-com.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#59390 (teams.microsoft.com.): answer: teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. 29 CNAME tmc-g2.tm-4.office.com. 22 CNAME teams-office-com.s-0005.dual-s-msedge.net. 101 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.252 25 A 198.51.100.251 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 53035
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53035 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.96",
+                "port": 51074
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "teams",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#51074: query: teams.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.96",
+                "port": 51074
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "teams.office.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "teams.office.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.96#51074 (teams.microsoft.com.): answer: teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host030.host030.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host030.host030",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: host030.host030.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host030.host030.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host030.host030.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (host030.host030.example.net.): answer: host030.host030.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host030.host030.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 60016
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "bag.itunes.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "bag.itunes",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#60016: query: bag.itunes.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "bag.itunes.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 60016
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "bag-cdn.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "bag.itunes.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "bag-cdn.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#60016 (bag.itunes.apple.com.): answer: bag.itunes.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 3189 CNAME bag-cdn.itunes-apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "bag.itunes.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 49940
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "configuration.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "configuration",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#49940: query: configuration.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 52786
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "configuration.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "configuration",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52786: query: configuration.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 52786
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "configuration.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "configuration.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "configuration.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52786 (configuration.apple.com.): answer: configuration.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 38606 CNAME configuration.apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.38",
+                "port": 62332
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "api2.cursor.sh",
+                    "registered_domain": "cursor.sh",
+                    "subdomain": "api2",
+                    "top_level_domain": "sh",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.38#62332: query: api2.cursor.sh IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api2.cursor.sh"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 55554
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "brwsrfrm.com",
+                    "registered_domain": "brwsrfrm.com",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#55554: query: brwsrfrm.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "brwsrfrm.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 50952
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "bag.itunes.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "bag.itunes",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#50952: query: bag.itunes.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "bag.itunes.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 50952
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "bag-cdn.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "bag-cdn-lb.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "h3.apis.apple.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.13",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.16",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.8",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "bag.itunes.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "bag-cdn.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "bag-cdn-lb.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "h3.apis.apple.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.13",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.16",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.8",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#50952 (bag.itunes.apple.com.): answer: bag.itunes.apple.com. IN A (10.100.0.1) -> NOERROR 3190 CNAME bag-cdn.itunes-apple.com.akadns.net. 518 CNAME bag-cdn-lb.itunes-apple.com.akadns.net. 134 CNAME h3.apis.apple.map.fastly.net. 30 A 198.51.100.11 30 A 198.51.100.13 30 A 198.51.100.16 30 A 198.51.100.8 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "bag.itunes.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.60",
+                "port": 53347
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-mobile.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.60#53347: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.144",
+                "port": 61139
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#61139: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.60",
+                "port": 53347
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.60#53347 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.144",
+                "port": 61139
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.144#61139 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.235",
+                "port": 43542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "hbase-rs.node6.isieca.eca.local",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.235#43542: query: hbase-rs.node6.isieca.eca.local IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "hbase-rs.node6.isieca.eca.local"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.235",
+                "port": 43542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "hbase-rs.node6.isieca.eca.local.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.235#43542 (hbase-rs.node6.isieca.eca.local.): answer: hbase-rs.node6.isieca.eca.local. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "hbase-rs.node6.isieca.eca.local."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 63331
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "brwsrfrm.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#63331 (brwsrfrm.com.): answer: brwsrfrm.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "brwsrfrm.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.86",
+                "port": 58372
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net",
+                    "registered_domain": "windows.net",
+                    "subdomain": "enterpriseregistration",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372: query: enterpriseregistration.windows.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.86",
+                "port": 58372
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "na.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prdf.aadg.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.f.prd.aadg.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.212",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.213",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.150",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.215",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.152",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.151",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    },
+                    {
+                        "data": "40.126.",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "na.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prdf.aadg.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.f.prd.aadg.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.212",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.213",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.150",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.215",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.152",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.151",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            },
+                            {
+                                "data": "40.126.",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.86#58372 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.212 291 A 198.51.100.213 291 A 198.51.100.150 291 A 198.51.100.215 291 A 198.51.100.152 291 A 198.51.100.151 291 A 198.51.100.214 291 A 40.126."
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 52932
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.sharepoint.com",
+                    "registered_domain": "sharepoint.com",
+                    "subdomain": "testorg",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52932: query: testorg.sharepoint.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.sharepoint.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 52932
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.sp",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.sharepoint.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.sp",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52932 (testorg.sharepoint.com.): answer: testorg.sharepoint.com. IN TYPE65 (10.100.0.1) -> NOERROR 3484 CNAME 1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com. 22 CNAME 189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com. 3 CNAME 189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net. 260 CNAME 189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.sp"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.sharepoint.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.12",
+                "port": 63585
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.12#63585: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.12",
+                "port": 63585
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.12#63585 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 58829
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.sharepoint.com",
+                    "registered_domain": "sharepoint.com",
+                    "subdomain": "testorg",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58829: query: testorg.sharepoint.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.sharepoint.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 58829
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-mse",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.sharepoint.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-mse",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58829 (testorg.sharepoint.com.): answer: testorg.sharepoint.com. IN A (10.100.0.1) -> NOERROR 3484 CNAME 1271-ipv4v6s.clump.dprodmgd104.aa-rt.sharepoint.com. 22 CNAME 189376-ipv4v6s.farm.dprodmgd104.aa-rt.sharepoint.com. 3 CNAME 189376-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net. 260 CNAME 189376-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-mse"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.sharepoint.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wpad.canbus.net",
+                    "registered_domain": "canbus.net",
+                    "subdomain": "wpad",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: wpad.canbus.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wpad.canbus.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wpad.canbus.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (wpad.canbus.net.): answer: wpad.canbus.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wpad.canbus.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.128",
+                "port": 55554
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.224",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.225",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.222",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.234",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.216",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.217",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.233",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.231",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.227",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.229",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.228",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.220 10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "brwsrfrm.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.224",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.225",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.222",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.234",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.216",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.217",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.233",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.231",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.227",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.229",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.228",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.220 10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.128#55554 (brwsrfrm.com.): answer: brwsrfrm.com. IN A (10.100.0.1) -> NOERROR 104 A 198.51.100.218 104 A 198.51.100.224 104 A 198.51.100.225 104 A 198.51.100.222 104 A 198.51.100.234 104 A 198.51.100.216 104 A 198.51.100.217 104 A 198.51.100.233 104 A 198.51.100.231 104 A 198.51.100.235 104 A 198.51.100.227 104 A 198.51.100.230 104 A 198.51.100.229 104 A 198.51.100.228 104 A 198.51.100.220 10"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "brwsrfrm.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52689
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689: query: host037.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52689
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52689
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689: query: host037.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52689
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52689
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host041.host041.host041",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.176",
+                "port": 50469
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.176#50469: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.176",
+                "port": 50469
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.176#50469 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52689
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52689 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wpad.acds.canon-europe.com",
+                    "registered_domain": "canon-europe.com",
+                    "subdomain": "wpad.acds",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731: query: wpad.acds.canon-europe.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wpad.acds.canon-europe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.6",
+                "port": 60085
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host019",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#60085: query: host019.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.6",
+                "port": 60085
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.8",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.8",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#60085 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.124",
+                "port": 57628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host019",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#57628: query: host019.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.124",
+                "port": 57628
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.8",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host019.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.8",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#57628 (host019.example.net.): answer: host019.example.net. IN A (10.100.0.1) -> NOERROR 180 A 10.1.1.8 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host019.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.62",
+                "port": 1026
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host104.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host104",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.62#1026: query: host104.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host104.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.62",
+                "port": 1026
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "172.16.2.61",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host105.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "172.16.2.61",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.62#1026 (host105.example.net.): answer: host105.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 172.16.2.61 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host105.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 53568
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "d18uol17ln7pq5.cloudfront.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.101",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.103",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.102",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.100",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cdns.eu1.gigya.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "d18uol17ln7pq5.cloudfront.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.101",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.103",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.102",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.100",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568 (cdns.eu1.gigya.com.): answer: cdns.eu1.gigya.com. IN A (10.100.0.1) -> NOERROR 46 CNAME d18uol17ln7pq5.cloudfront.net. 2 A 198.51.100.101 2 A 198.51.100.103 2 A 198.51.100.102 2 A 198.51.100.100 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdns.eu1.gigya.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 53142
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "configuration.apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "configuration.apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#53142: query: configuration.apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration.apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 53142
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "configuration-row-lb.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "configuration.apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "configuration-row-lb.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#53142 (configuration.apple.com.akadns.net.): answer: configuration.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 13 CNAME configuration-row-lb.apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration.apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.124",
+                "port": 63372
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "officeclient.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "officeclient",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.124#63372: query: officeclient.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "officeclient.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.124",
+                "port": 63372
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "config.officeapps.live.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod.configsvc1.live.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "europe.configsvc1.live.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "config-prod-weightedww.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.237",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.239",
+                        "type": "A"
+                    },
+                    {
+                        "data": "52.11",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "officeclient.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "config.officeapps.live.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod.configsvc1.live.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "europe.configsvc1.live.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "config-prod-weightedww.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.237",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.239",
+                                "type": "A"
+                            },
+                            {
+                                "data": "52.11",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.124#63372 (officeclient.microsoft.com.): answer: officeclient.microsoft.com. IN A (10.100.0.1) -> NOERROR 858 CNAME config.officeapps.live.com. 903 CNAME prod.configsvc1.live.com.akadns.net. 11 CNAME europe.configsvc1.live.com.akadns.net. 249 CNAME config-prod-weightedww.trafficmanager.net. 54 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.237 9 A 198.51.100.239 9 A 52.11"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "officeclient.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 52968
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "bag-cdn.itunes-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "bag-cdn.itunes-apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52968: query: bag-cdn.itunes-apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "bag-cdn.itunes-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 52968
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "bag-cdn-lb.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "h3.apis.apple.map.fastly.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "bag-cdn.itunes-apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "bag-cdn-lb.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "h3.apis.apple.map.fastly.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#52968 (bag-cdn.itunes-apple.com.akadns.net.): answer: bag-cdn.itunes-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 517 CNAME bag-cdn-lb.itunes-apple.com.akadns.net. 133 CNAME h3.apis.apple.map.fastly.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "bag-cdn.itunes-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.6",
+                "port": 51330
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host022.host022.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host022.host022",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#51330: query: host022.host022.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host022.host022.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.6",
+                "port": 51330
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host023.host023.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.6#51330 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host023.host023.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 56033
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 56033
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 56033
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 56033
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#56033 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 58919
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#58919: query: mask.icloud.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 58919
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#58919 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.33",
+                "port": 54504
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.33#54504: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.33",
+                "port": 54504
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.33#54504 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 50582
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#50582: query: mask.icloud.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 50582
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#50582 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.47 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.40",
+                "port": 56746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "msedge.b.tlu.dl.delivery.mp.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "msedge.b.tlu.dl.delivery.mp",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.40#56746: query: msedge.b.tlu.dl.delivery.mp.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "msedge.b.tlu.dl.delivery.mp.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.40",
+                "port": 56746
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cdp-f-tlu-net.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wildcard.f.tlu.dl.delivery.mp.microsoft.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1847.dscd.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.69",
+                        "type": "A"
+                    },
+                    {
+                        "data": "96.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "msedge.b.tlu.dl.delivery.mp.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cdp-f-tlu-net.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wildcard.f.tlu.dl.delivery.mp.microsoft.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1847.dscd.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.69",
+                                "type": "A"
+                            },
+                            {
+                                "data": "96.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.40#56746 (msedge.b.tlu.dl.delivery.mp.microsoft.com.): answer: msedge.b.tlu.dl.delivery.mp.microsoft.com. IN A (10.100.0.1) -> NOERROR 167 CNAME star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com. 5168 CNAME cdp-f-tlu-net.trafficmanager.net. 51 CNAME wildcard.f.tlu.dl.delivery.mp.microsoft.com.edgesuite.net. 3735 CNAME a1847.dscd.akamai.net. 2 A 198.51.100.69 2 A 96.1"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "msedge.b.tlu.dl.delivery.mp.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 55168
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55168: query: edge.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 55168
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#55168 (edge.microsoft.com.): answer: edge.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 58590
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edge",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58590: query: edge.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 58590
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ax-0002.ax-dc-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.3",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.4",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edge.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-microsoft-com.ax-0002.ax-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ax-0002.ax-dc-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.3",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.4",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58590 (edge.microsoft.com.): answer: edge.microsoft.com. IN A (10.100.0.1) -> NOERROR 626 CNAME edge-microsoft-com.ax-0002.ax-msedge.net. 80 CNAME ax-0002.ax-dc-msedge.net. 5 A 198.51.100.3 5 A 198.51.100.4 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edge.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 50468
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "instagram.c10r.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "instagram.c10r",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50468: query: instagram.c10r.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "instagram.c10r.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 50468
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.27",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "instagram.c10r.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.27",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50468 (instagram.c10r.instagram.com.): answer: instagram.c10r.instagram.com. IN A (10.100.0.1) -> NOERROR 36 A 198.51.100.27 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "instagram.c10r.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 56731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "wpad.acds.canon-europe.com.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#56731 (wpad.acds.canon-europe.com.): answer: wpad.acds.canon-europe.com. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "wpad.acds.canon-europe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.171",
+                "port": 49449
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "captive-cidr.origin-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "captive-cidr.origin-apple.com",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#49449: query: captive-cidr.origin-apple.com.akadns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "captive-cidr.origin-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.171",
+                "port": 49449
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "captive-geo.origin-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "captive.g.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.52",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.57",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "captive-cidr.origin-apple.com.akadns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "captive-geo.origin-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "captive.g.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.52",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.57",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#49449 (captive-cidr.origin-apple.com.akadns.net.): answer: captive-cidr.origin-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 281 CNAME captive-geo.origin-apple.com.akadns.net. 52 CNAME captive.g.aaplimg.com. 5 A 198.51.100.52 5 A 198.51.100.57 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "captive-cidr.origin-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.171",
+                "port": 64568
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "captive-cidr.origin-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "captive-cidr.origin-apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#64568: query: captive-cidr.origin-apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "captive-cidr.origin-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.159",
+                "port": 56013
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.159#56013: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.159",
+                "port": 56013
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.159#56013 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.75",
+                "port": 64780
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ps.pndsn.com",
+                    "registered_domain": "pndsn.com",
+                    "subdomain": "ps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.75#64780: query: ps.pndsn.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ps.pndsn.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.75",
+                "port": 64780
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.199",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.200",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ps.pndsn.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.199",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.200",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.75#64780 (ps.pndsn.com.): answer: ps.pndsn.com. IN A (10.100.0.1) -> NOERROR 275 A 198.51.100.199 275 A 198.51.100.200 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ps.pndsn.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.79",
+                "port": 61599
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.79#61599: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.79",
+                "port": 61599
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.79#61599 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.80",
+                "port": 59144
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.80#59144: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.80",
+                "port": 59144
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.80#59144 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.15",
+                "port": 53168
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.15#53168: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.15",
+                "port": 53168
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.15#53168 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 49940
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "configuration.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "configuration-row-lb.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "configuration.v.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.57",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.52",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "configuration.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "configuration.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "configuration-row-lb.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "configuration.v.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.57",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.52",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#49940 (configuration.apple.com.): answer: configuration.apple.com. IN A (10.100.0.1) -> NOERROR 38606 CNAME configuration.apple.com.akadns.net. 13 CNAME configuration-row-lb.apple.com.akadns.net. 30 CNAME configuration.v.aaplimg.com. 15 A 198.51.100.57 15 A 198.51.100.52 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.171",
+                "port": 64568
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "captive-geo.origin-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "captive.g.aaplimg.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "captive-cidr.origin-apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "captive-geo.origin-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "captive.g.aaplimg.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.171#64568 (captive-cidr.origin-apple.com.akadns.net.): answer: captive-cidr.origin-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 281 CNAME captive-geo.origin-apple.com.akadns.net. 52 CNAME captive.g.aaplimg.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "captive-cidr.origin-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.124",
+                "port": 54829
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host022.host022.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host022.host022",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#54829: query: host022.host022.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host022.host022.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.124",
+                "port": 54829
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host023.host023.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.124#54829 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host023.host023.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 61703
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61703: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.133",
+                "port": 61703
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.133#61703 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 54005
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "configuration-row-lb.apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "configuration-row-lb.apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#54005: query: configuration-row-lb.apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration-row-lb.apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.57",
+                "port": 60230
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#60230: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.57",
+                "port": 60230
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#60230 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.156",
+                "port": 62018
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.156#62018: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.156",
+                "port": 62018
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.156#62018 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.57",
+                "port": 50177
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#50177: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.57",
+                "port": 50177
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.57#50177 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.83",
+                "port": 59693
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.83#59693: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.83",
+                "port": 59693
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.83#59693 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.38",
+                "port": 62332
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "api2geo.cursor.sh.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "api2direct.cursor.sh.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.195",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.14",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.186",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.4",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.185",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.83",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.178",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.185",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "api2.cursor.sh.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "api2geo.cursor.sh.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "api2direct.cursor.sh.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.195",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.14",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.186",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.4",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.185",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.83",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.178",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.185",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.38#62332 (api2.cursor.sh.): answer: api2.cursor.sh. IN A (10.100.0.1) -> NOERROR 300 CNAME api2geo.cursor.sh. 300 CNAME api2direct.cursor.sh. 12 A 198.51.100.195 12 A 198.51.100.14 12 A 198.51.100.186 12 A 198.51.100.4 12 A 198.51.100.185 12 A 198.51.100.83 12 A 198.51.100.178 12 A 198.51.100.185 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api2.cursor.sh."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host106.host106.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host106.host106",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669: query: host106.host106.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host106.host106.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 48380
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.236.in-addr.arpa",
+                    "registered_domain": "236.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48380: query: 198.51.100.236.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.236.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 48380
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host107.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.236.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host107.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48380 (198.51.100.236.in-addr.arpa.): answer: 198.51.100.236.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host107.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.236.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.131",
+                "port": 63891
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.131#63891: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.131",
+                "port": 63891
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.131#63891 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.175",
+                "port": 64788
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "forum.viva.nl",
+                    "registered_domain": "viva.nl",
+                    "subdomain": "forum",
+                    "top_level_domain": "nl",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#64788: query: forum.viva.nl IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "forum.viva.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.175",
+                "port": 63931
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "forum.viva.nl",
+                    "registered_domain": "viva.nl",
+                    "subdomain": "forum",
+                    "top_level_domain": "nl",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#63931: query: forum.viva.nl IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "forum.viva.nl"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 50878
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "test-gateway.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "test-gateway",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50878: query: test-gateway.instagram.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "test-gateway.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 50878
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dgw-ig.c10r.facebook.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "test-gateway.instagram.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dgw-ig.c10r.facebook.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#50878 (test-gateway.instagram.com.): answer: test-gateway.instagram.com. IN TYPE65 (10.100.0.1) -> NOERROR 2033 CNAME dgw-ig.c10r.facebook.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "test-gateway.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 53836
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53836: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 53836
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#53836 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 59915
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "test-gateway.instagram.com",
+                    "registered_domain": "instagram.com",
+                    "subdomain": "test-gateway",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#59915: query: test-gateway.instagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "test-gateway.instagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 59915
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dgw-ig.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.28",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "test-gateway.instagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dgw-ig.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.28",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#59915 (test-gateway.instagram.com.): answer: test-gateway.instagram.com. IN A (10.100.0.1) -> NOERROR 2033 CNAME dgw-ig.c10r.facebook.com. 8 A 198.51.100.28 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "test-gateway.instagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.62",
+                "port": 51018
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.62#51018: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.62",
+                "port": 51018
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.62#51018 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.182",
+                "port": 60559
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#60559: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.182",
+                "port": 60559
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#60559 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.243",
+                "port": 63757
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.243#63757: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.243",
+                "port": 63757
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.243#63757 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.125",
+                "port": 54005
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "configuration.v.aaplimg.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "configuration-row-lb.apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "configuration.v.aaplimg.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.125#54005 (configuration-row-lb.apple.com.akadns.net.): answer: configuration-row-lb.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 30 CNAME configuration.v.aaplimg.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "configuration-row-lb.apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692: query: host037.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692 (host037.example.net.): answer: host037.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host037",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692: query: host037.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52692
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.14",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host037.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.14",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692 (host037.example.net.): answer: host037.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.1.14 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host037.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host041.host041.host041",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692: query: host041.host041.host041.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.105",
+                "port": 52692
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host041.host041.host041.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.105#52692 (host041.host041.host041.example.net.): answer: host041.host041.host041.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host041.host041.host041.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.136",
+                "port": 51314
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#51314: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.136",
+                "port": 51314
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#51314 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.175",
+                "port": 64788
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "forum.viva.nl.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#64788 (forum.viva.nl.): answer: forum.viva.nl. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "forum.viva.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.136",
+                "port": 65429
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#65429: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.136",
+                "port": 65429
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.136#65429 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 59089
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host008.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host008",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#59089: query: host008.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host008.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 59089
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host008.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#59089 (host008.example.net.): answer: host008.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host008.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.37",
+                "port": 58764
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-powerpoint.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-powerpoint.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58764: query: euc-powerpoint.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-powerpoint.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.37",
+                "port": 58764
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-powerpoint-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-powerpoint.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-powerpoint-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58764 (euc-powerpoint.officeapps.live.com.): answer: euc-powerpoint.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 2 CNAME euc-powerpoint-geo.wac.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-powerpoint.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.127",
+                "port": 49669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host106.host106.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.127#49669 (host106.host106.example.net.): answer: host106.host106.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host106.host106.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.37",
+                "port": 58331
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-powerpoint.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-powerpoint.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58331: query: euc-powerpoint.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-powerpoint.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.37",
+                "port": 58331
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-powerpoint-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-dc-msedge.net",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-powerpoint.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-powerpoint-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-dc-msedge.net",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.37#58331 (euc-powerpoint.officeapps.live.com.): answer: euc-powerpoint.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 2 CNAME euc-powerpoint-geo.wac.trafficmanager.net. 18 CNAME euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 27 CNAME euc-powerpoint.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net. 24 CNAME wac-0003.wac-dc-msedge.net"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-powerpoint.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 44847
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.python.org",
+                    "registered_domain": "python.org",
+                    "subdomain": "www",
+                    "top_level_domain": "org",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#44847: query: www.python.org IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.python.org"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.198",
+                "port": 38176
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host012",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#38176: query: host012.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.198",
+                "port": 58554
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host012",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#58554: query: host012.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.198",
+                "port": 38176
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#38176 (host012.example.net.): answer: host012.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.198",
+                "port": 58554
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.196",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host012.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.196",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.198#58554 (host012.example.net.): answer: host012.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.196 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host012.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 50782
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ingestion.smartocto.com",
+                    "registered_domain": "smartocto.com",
+                    "subdomain": "ingestion",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#50782: query: ingestion.smartocto.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ingestion.smartocto.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 50782
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ingestion.smartocto.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#50782 (ingestion.smartocto.com.): answer: ingestion.smartocto.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ingestion.smartocto.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.182",
+                "port": 56844
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#56844: query: browser.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.182",
+                "port": 56844
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.182#56844 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 63224
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#63224: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 63224
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#63224 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 51861
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ingestion.smartocto.com",
+                    "registered_domain": "smartocto.com",
+                    "subdomain": "ingestion",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#51861: query: ingestion.smartocto.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ingestion.smartocto.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 62435
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#62435: query: browser.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 62435
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#62435 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55500
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55500: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55500
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55500 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 46710
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#46710: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 46710
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#46710 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55501
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55501: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55501
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55501 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55502
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55502: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.47",
+                "port": 53436
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mail.yahoo.com",
+                    "registered_domain": "yahoo.com",
+                    "subdomain": "mail",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#53436: query: mail.yahoo.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.yahoo.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.47",
+                "port": 53436
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge.gycpi.b.yahoodns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mail.yahoo.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge.gycpi.b.yahoodns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#53436 (mail.yahoo.com.): answer: mail.yahoo.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME edge.gycpi.b.yahoodns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.yahoo.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55502
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55502 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.47",
+                "port": 59981
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mail.yahoo.com",
+                    "registered_domain": "yahoo.com",
+                    "subdomain": "mail",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#59981: query: mail.yahoo.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.yahoo.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.47",
+                "port": 59981
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge.gycpi.b.yahoodns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.55",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.54",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mail.yahoo.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge.gycpi.b.yahoodns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.55",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.54",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.47#59981 (mail.yahoo.com.): answer: mail.yahoo.com. IN A (10.100.0.1) -> NOERROR 48 CNAME edge.gycpi.b.yahoodns.net. 17 A 198.51.100.55 17 A 198.51.100.54 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.yahoo.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.166",
+                "port": 63308
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host108.host108.host108.host108.host108.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host108.host108.host108.host108.host108",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308: query: host108.host108.host108.host108.host108.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host108.host108.host108.host108.host108.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.166",
+                "port": 63308
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host109.host109.host109.host109.host109.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308 (host109.host109.host109.host109.host109.example.net.): answer: host109.host109.host109.host109.host109.example.net. IN SRV (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host109.host109.host109.host109.host109.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55503: query: host038.host038.host038.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55503
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55503 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55504
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55504: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.137",
+                "port": 44847
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dualstack.python.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.14",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.9",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.5",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.python.org.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dualstack.python.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.14",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.9",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.5",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.137#44847 (www.python.org.): answer: www.python.org. IN A (10.100.0.1) -> NOERROR 260276 CNAME dualstack.python.map.fastly.net. 60 A 198.51.100.14 60 A 198.51.100.6 60 A 198.51.100.9 60 A 198.51.100.5 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.python.org."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55504
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55504 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55505
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55505: query: host039.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55505
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55505 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55506
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55506: query: host039.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.46",
+                "port": 55506
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.46#55506 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.166",
+                "port": 63308
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host110.host110.host110.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host110.host110.host110",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308: query: host110.host110.host110.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host110.host110.host110.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 51861
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.18",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.16",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ingestion.smartocto.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.18",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.16",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#51861 (ingestion.smartocto.com.): answer: ingestion.smartocto.com. IN A (10.100.0.1) -> NOERROR 57 A 198.51.100.18 57 A 198.51.100.16 57 A 198.51.100.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ingestion.smartocto.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.166",
+                "port": 63308
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host110.host110.host110.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.166#63308 (host110.host110.host110.example.net.): answer: host110.host110.host110.example.net. IN SRV (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host110.host110.host110.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.150",
+                "port": 50204
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.whatsapp.com",
+                    "registered_domain": "whatsapp.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#50204: query: graph.whatsapp.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.whatsapp.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.150",
+                "port": 50204
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "whatsapp.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.whatsapp.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "whatsapp.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#50204 (graph.whatsapp.com.): answer: graph.whatsapp.com. IN TYPE65 (10.100.0.1) -> NOERROR 780 CNAME whatsapp.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.whatsapp.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.150",
+                "port": 53023
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.whatsapp.com",
+                    "registered_domain": "whatsapp.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#53023: query: graph.whatsapp.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.whatsapp.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.125",
+                "port": 56738
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.125#56738: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.150",
+                "port": 53023
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "whatsapp.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.32",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.whatsapp.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "whatsapp.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.32",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#53023 (graph.whatsapp.com.): answer: graph.whatsapp.com. IN A (10.100.0.1) -> NOERROR 780 CNAME whatsapp.com. 22 A 198.51.100.32 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.whatsapp.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.125",
+                "port": 56738
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.125#56738 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.155",
+                "port": 54459
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gateway.fe2.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "gateway.fe2",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.155#54459: query: gateway.fe2.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gateway.fe2.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.18",
+                "port": 50345
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "api.flightproxy.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "api.flightproxy.teams",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#50345: query: api.flightproxy.teams.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api.flightproxy.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.155",
+                "port": 54459
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gateway.fe2.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.155#54459 (gateway.fe2.apple-dns.net.): answer: gateway.fe2.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gateway.fe2.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.18",
+                "port": 50345
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "api.flightproxy.teams.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "api.flightproxy.teams.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "api.flightproxy.teams.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#50345 (api.flightproxy.teams.microsoft.com.): answer: api.flightproxy.teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 546 CNAME api.flightproxy.teams.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api.flightproxy.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.18",
+                "port": 60063
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "api.flightproxy.teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "api.flightproxy.teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#60063: query: api.flightproxy.teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api.flightproxy.teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.18",
+                "port": 60063
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "api.flightproxy.teams.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ep-euwe-02-prod-aks.flightproxy.teams.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "epx.euwe-02.ic3-calling-enterpriseproxy.westeurope-prod.cosmic.office.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "cosmic-westeurope-ns-018d0b8c6998.trafficmanager.net",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "api.flightproxy.teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "api.flightproxy.teams.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ep-euwe-02-prod-aks.flightproxy.teams.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "epx.euwe-02.ic3-calling-enterpriseproxy.westeurope-prod.cosmic.office.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "cosmic-westeurope-ns-018d0b8c6998.trafficmanager.net",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.18#60063 (api.flightproxy.teams.microsoft.com.): answer: api.flightproxy.teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 545 CNAME api.flightproxy.teams.trafficmanager.net. 6 CNAME ep-euwe-02-prod-aks.flightproxy.teams.microsoft.com. 1468 CNAME epx.euwe-02.ic3-calling-enterpriseproxy.westeurope-prod.cosmic.office.net. 3 CNAME cosmic-westeurope-ns-018d0b8c6998.trafficmanager.net"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "api.flightproxy.teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 52413
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dgw-ig.c10r.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "dgw-ig.c10r",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52413: query: dgw-ig.c10r.facebook.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dgw-ig.c10r.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 52413
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dgw-ig.c10r.facebook.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#52413 (dgw-ig.c10r.facebook.com.): answer: dgw-ig.c10r.facebook.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dgw-ig.c10r.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 33649
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#33649: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.50",
+                "port": 33649
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.50#33649 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 45654
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host111.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host111",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#45654: query: host111.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host111.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 33638
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host111.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host111",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#33638: query: host111.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host111.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 33638
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host111.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#33638 (host111.example.net.): answer: host111.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host111.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 45654
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.246",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host111.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.246",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#45654 (host111.example.net.): answer: host111.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.246 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host111.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.58",
+                "port": 58734
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.58#58734: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.58",
+                "port": 58734
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.58#58734 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.150",
+                "port": 54182
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "whatsapp.com",
+                    "registered_domain": "whatsapp.com",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#54182: query: whatsapp.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "whatsapp.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.150",
+                "port": 54182
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "whatsapp.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.150#54182 (whatsapp.com.): answer: whatsapp.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "whatsapp.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 56996
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa",
+                    "registered_domain": "resolver.arpa",
+                    "subdomain": "_dns",
+                    "top_level_domain": "arpa",
+                    "type": "TYPE64"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56996: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 56996
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa.",
+                    "type": "TYPE64"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56996 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 56638
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-common.online.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "euc-common.online",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#56638: query: euc-common.online.office.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-common.online.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 56638
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-common-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-common.online.office.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-common-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#56638 (euc-common.online.office.com.): answer: euc-common.online.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 258 CNAME euc-common-geo.wac.trafficmanager.net. 5 CNAME euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 35 CNAME wac-0003.wac-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-common.online.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 49889
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "gsp85-ssl.ls",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49889: query: gsp85-ssl.ls.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 49889
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.23",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.23",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49889 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN A (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. 27 A 198.51.100.23 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 50672
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-common.online.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "euc-common.online",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50672: query: euc-common.online.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-common.online.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 50672
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-common-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-common.online.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-common-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50672 (euc-common.online.office.com.): answer: euc-common.online.office.com. IN A (10.100.0.1) -> NOERROR 258 CNAME euc-common-geo.wac.trafficmanager.net. 5 CNAME euc-common.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 35 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-common.online.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 64577
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64577: query: mask.icloud.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 64577
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64577 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 57496
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "gsp85-ssl.ls",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57496: query: gsp85-ssl.ls.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 57496
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57496 (gsp85-ssl.ls.apple.com.): answer: gsp85-ssl.ls.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 1017 CNAME gsp85-ssl.ls2-apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 50637
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50637: query: mask.icloud.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 50637
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50637 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64717
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64717: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.234",
+                "port": 56863
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "hbase-rs.node4.isieca.eca.local",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#56863: query: hbase-rs.node4.isieca.eca.local IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "hbase-rs.node4.isieca.eca.local"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.234",
+                "port": 56863
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "hbase-rs.node4.isieca.eca.local.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#56863 (hbase-rs.node4.isieca.eca.local.): answer: hbase-rs.node4.isieca.eca.local. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "hbase-rs.node4.isieca.eca.local."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64717
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64717 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.234",
+                "port": 44647
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "hbase-rs.node6.isieca.eca.local",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#44647: query: hbase-rs.node6.isieca.eca.local IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "hbase-rs.node6.isieca.eca.local"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.234",
+                "port": 44647
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "hbase-rs.node6.isieca.eca.local.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.234#44647 (hbase-rs.node6.isieca.eca.local.): answer: hbase-rs.node6.isieca.eca.local. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "hbase-rs.node6.isieca.eca.local."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.246",
+                "port": 47119
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "172.16.2.74.in-addr.arpa",
+                    "registered_domain": "74.in-addr.arpa",
+                    "subdomain": "172.16.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.246#47119: query: 172.16.2.74.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "172.16.2.74.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.246",
+                "port": 47119
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host112.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "172.16.2.74.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host112.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.246#47119 (172.16.2.74.in-addr.arpa.): answer: 172.16.2.74.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host112.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "172.16.2.74.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64718
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64718: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64718
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64718 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64719
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64719: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64719
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64719 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64720
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64720: query: host038.host038.host038.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64720
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64720 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64721
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64721: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64721
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64721 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64722
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64722: query: host039.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64722
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64722 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.44",
+                "port": 59426
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.44#59426: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.44",
+                "port": 59426
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.44#59426 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.183",
+                "port": 50218
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "oneocsp.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "oneocsp",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.183#50218: query: oneocsp.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oneocsp.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.183",
+                "port": 50218
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "oneocsp-microsoft-com.a-0003.a-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a-0003.a-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.159",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "oneocsp.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "oneocsp-microsoft-com.a-0003.a-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a-0003.a-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.159",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.183#50218 (oneocsp.microsoft.com.): answer: oneocsp.microsoft.com. IN A (10.100.0.1) -> NOERROR 2284 CNAME oneocsp-microsoft-com.a-0003.a-msedge.net. 165 CNAME a-0003.a-msedge.net. 136 A 198.51.100.159 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oneocsp.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.160",
+                "port": 63010
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mediacloud.xiaohongshu.com",
+                    "registered_domain": "xiaohongshu.com",
+                    "subdomain": "mediacloud",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63010: query: mediacloud.xiaohongshu.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mediacloud.xiaohongshu.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55581
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55581: query: host113.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 53076
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "oauth.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#53076: query: oauth.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 53076
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "oauth-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "oauth-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#53076 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55581
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55581 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64723
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64723: query: host039.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.43",
+                "port": 64723
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.43#64723 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 50047
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "oauth.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50047: query: oauth.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 50047
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "oauth-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "oauth.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "oauth-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#50047 (oauth.officeapps.live.com.): answer: oauth.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 52 CNAME oauth-geo.wac.trafficmanager.net. 57 CNAME oauth.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 12 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.235 18 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "oauth.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.226",
+                "port": 64052
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.226#64052: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 59527
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#59527: query: host113.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.226",
+                "port": 64052
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.226#64052 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 59527
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#59527 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.39",
+                "port": 57805
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.39#57805: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.39",
+                "port": 57805
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.39#57805 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.199",
+                "port": 39324
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host114.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host114",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324: query: host114.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host114.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.199",
+                "port": 39324
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.199",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host114.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.199",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324 (host114.example.net.): answer: host114.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.199 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host114.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.199",
+                "port": 39324
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host114.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host114",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324: query: host114.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host114.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.199",
+                "port": 39324
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host114.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.199#39324 (host114.example.net.): answer: host114.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host114.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 38653
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host115.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host115",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#38653: query: host115.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host115.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 38653
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host116.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "HIxComeZmm-p.EXAMPLE.NET.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host116.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#38653 (HIxComeZmm-p.EXAMPLE.NET.): answer: HIxComeZmm-p.EXAMPLE.NET. IN AAAA (10.100.0.1) -> NOERROR 28800 CNAME host116.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "HIxComeZmm-p.EXAMPLE.NET."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55708
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55708: query: host113.example.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55708
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55708 (host113.example.net.): answer: host113.example.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 65129
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#65129: query: host113.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 65129
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#65129 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 38406
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host117.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host117",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#38406: query: host117.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host117.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 38406
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host117.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#38406 (host117.example.net.): answer: host117.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host117.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 47531
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host117.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host117",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#47531: query: host117.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host117.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.244",
+                "port": 47531
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.245",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host117.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.245",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.244#47531 (host117.example.net.): answer: host117.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.245 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host117.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 53138
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138: query: host013.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 53138
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138: query: host013.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 53138
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.217",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.217",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 53138
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#53138 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 61661
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "sstats.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "sstats",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61661: query: sstats.adobe.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "sstats.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 61661
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "adobe.com.ssl.d1.sc.omtrdc.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "sstats.adobe.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "adobe.com.ssl.d1.sc.omtrdc.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61661 (sstats.adobe.com.): answer: sstats.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 470 CNAME adobe.com.ssl.d1.sc.omtrdc.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "sstats.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 62336
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "sstats.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "sstats",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62336: query: sstats.adobe.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "sstats.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 62336
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "adobe.com.ssl.d1.sc.omtrdc.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "sstats.adobe.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "adobe.com.ssl.d1.sc.omtrdc.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62336 (sstats.adobe.com.): answer: sstats.adobe.com. IN A (10.100.0.1) -> NOERROR 470 CNAME adobe.com.ssl.d1.sc.omtrdc.net. 374 A 198.51.100.45 374 A 198.51.100.40 374 A 198.51.100.44 374 A 198.51.100.42 374 A 198.51.100.43 374 A 198.51.100.41 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "sstats.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54970
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa",
+                    "registered_domain": "52.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54970: query: 198.51.100.52.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54970
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.52.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54970 (198.51.100.52.in-addr.arpa.): answer: 198.51.100.52.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.52.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54971
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54971: query: host036.host036.host036.host036.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54971
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54971 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54972
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host036.host036.host036.host036",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54972: query: host036.host036.host036.host036.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 50988
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#50988: query: acrobat.adobe.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 50988
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#50988 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54972
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host036.host036.host036.host036.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54972 (host036.host036.host036.host036.example.net.): answer: host036.host036.host036.host036.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host036.host036.host036.host036.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 59257
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59257: query: acrobat.adobe.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54973
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54973: query: host038.host038.host038.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54973
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54973 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51802
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.bing.com",
+                    "registered_domain": "bing.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51802: query: www.bing.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.bing.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51802
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "www-www.bing.com.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.bing.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "www-www.bing.com.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51802 (www.bing.com.): answer: www.bing.com. IN TYPE65 (10.100.0.1) -> NOERROR 1256 CNAME www-www.bing.com.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.bing.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54974
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host038.host038.host038",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54974: query: host038.host038.host038.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 58772
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.bing.com",
+                    "registered_domain": "bing.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58772: query: www.bing.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.bing.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 58772
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "www-www.bing.com.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.bing.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e86303.dscx.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.120",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.119",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.117",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.121",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.118",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.bing.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "www-www.bing.com.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.bing.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e86303.dscx.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.120",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.119",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.117",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.121",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.118",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#58772 (www.bing.com.): answer: www.bing.com. IN A (10.100.0.1) -> NOERROR 1256 CNAME www-www.bing.com.trafficmanager.net. 22 CNAME www.bing.com.edgekey.net. 9122 CNAME e86303.dscx.akamaiedge.net. 3 A 198.51.100.120 3 A 198.51.100.119 3 A 198.51.100.117 3 A 198.51.100.121 3 A 198.51.100.118 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.bing.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54974
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host038.host038.host038.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54974 (host038.host038.host038.example.net.): answer: host038.host038.host038.example.net. IN AAAA (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host038.host038.host038.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55257
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55257: query: europe.smartscreen.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55257
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55257 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54975
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54975: query: host039.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54975
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54975 (host039.example.net.): answer: host039.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.245",
+                "port": 10038
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "172.16.2.74.in-addr.arpa",
+                    "registered_domain": "74.in-addr.arpa",
+                    "subdomain": "172.16.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.245#10038: query: 172.16.2.74.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "172.16.2.74.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.245",
+                "port": 10038
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host112.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "172.16.2.74.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host112.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.245#10038 (172.16.2.74.in-addr.arpa.): answer: 172.16.2.74.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host112.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "172.16.2.74.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 59984
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59984: query: graph.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 59984
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59984 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 62382
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62382: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 62382
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62382 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54976
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host039",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54976: query: host039.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.47",
+                "port": 54976
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host039.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.47#54976 (host039.example.net.): answer: host039.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host039.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56397
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56397: query: graph.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56397
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.prd.ags.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.139",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.138",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.149",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.142",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.140",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.143",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.141",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.prd.ags.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.139",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.138",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.149",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.142",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.140",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.143",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.141",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56397 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 122 A 198.51.100.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.135",
+                "port": 50811
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811: query: host031.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.135",
+                "port": 50811
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.134",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.134",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.135",
+                "port": 50811
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811: query: host031.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.135",
+                "port": 50811
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.135#50811 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 60667
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#60667: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 60667
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#60667 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 54966
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls2-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "gsp85-ssl.ls2-apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#54966: query: gsp85-ssl.ls2-apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls2-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50731
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host058.host058.host058.host058.host058.host058.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host058.host058.host058.host058.host058.host058",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731: query: host058.host058.host058.host058.host058.host058.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host058.host058.host058.host058.host058.host058.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 54966
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gsp85-ssl.ls2-apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#54966 (gsp85-ssl.ls2-apple.com.akadns.net.): answer: gsp85-ssl.ls2-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gsp85-ssl.ls2-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.107",
+                "port": 50731
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host034.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host061.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host059.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host060.example.net.",
+                        "type": "SRV"
+                    },
+                    {
+                        "data": "0 100 389 host063.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host062.host062.host062.host062.host062.host062.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host034.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host061.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host059.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host060.example.net.",
+                                "type": "SRV"
+                            },
+                            {
+                                "data": "0 100 389 host063.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.107#50731 (host062.host062.host062.host062.host062.host062.example.net.): answer: host062.host062.host062.host062.host062.host062.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host034.example.net. 600 SRV 0 100 389 host005.example.net. 600 SRV 0 100 389 host061.example.net. 600 SRV 0 100 389 host059.example.net. 600 SRV 0 100 389 host060.example.net. 600 SRV 0 100 389 host063.example.net."
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host062.host062.host062.host062.host062.host062.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 50318
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-collabrtc.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-collabrtc.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#50318: query: euc-collabrtc.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-collabrtc.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 50318
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-collabrtc.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#50318 (euc-collabrtc.officeapps.live.com.): answer: euc-collabrtc.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-collabrtc.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 65416
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-collabrtc.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-collabrtc.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#65416: query: euc-collabrtc.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-collabrtc.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 65416
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-collabrtc-geo.rtc.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-collabrtc.rtc.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-collabrtc.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-collabrtc-geo.rtc.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-collabrtc.rtc.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#65416 (euc-collabrtc.officeapps.live.com.): answer: euc-collabrtc.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 258 CNAME euc-collabrtc-geo.rtc.trafficmanager.net. 31 CNAME euc-collabrtc.rtc.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 4 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.236 18 A 198.51.100.235 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-collabrtc.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.160",
+                "port": 63010
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mediacloud.xiaohongshu.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1674.dscb.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.123",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.115",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mediacloud.xiaohongshu.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mediacloud.xiaohongshu.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1674.dscb.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.123",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.115",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.160#63010 (mediacloud.xiaohongshu.com.): answer: mediacloud.xiaohongshu.com. IN A (10.100.0.1) -> NOERROR 488 CNAME mediacloud.xiaohongshu.com.edgesuite.net. 17503 CNAME a1674.dscb.akamai.net. 20 A 198.51.100.123 20 A 198.51.100.115 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mediacloud.xiaohongshu.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 56684
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host118.host118.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host118.host118",
+                    "top_level_domain": "net",
+                    "type": "TXT"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56684: query: host118.host118.example.net IN TXT  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host118.host118.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 56684
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host118.host118.example.net.",
+                    "type": "TXT"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56684 (host118.host118.example.net.): answer: host118.host118.example.net. IN TXT (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host118.host118.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 51473
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host119.host119.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host119.host119",
+                    "top_level_domain": "net",
+                    "type": "TXT"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#51473: query: host119.host119.example.net IN TXT  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host119.host119.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 51473
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host119.host119.example.net.",
+                    "type": "TXT"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#51473 (host119.host119.example.net.): answer: host119.host119.example.net. IN TXT (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host119.host119.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 54165
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host120.host120.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host120.host120",
+                    "top_level_domain": "net",
+                    "type": "TXT"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#54165: query: host120.host120.example.net IN TXT  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host120.host120.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 54165
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host120.host120.example.net.",
+                    "type": "TXT"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#54165 (host120.host120.example.net.): answer: host120.host120.example.net. IN TXT (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host120.host120.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 62819
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host121.host121.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host121.host121",
+                    "top_level_domain": "net",
+                    "type": "TXT"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#62819: query: host121.host121.example.net IN TXT  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host121.host121.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 62819
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host121.host121.example.net.",
+                    "type": "TXT"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#62819 (host121.host121.example.net.): answer: host121.host121.example.net. IN TXT (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host121.host121.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 51755
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#51755: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 51755
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#51755 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 64640
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#64640: query: browser.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.86",
+                "port": 64640
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.86#64640 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 52485
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host122.host122.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host122.host122",
+                    "top_level_domain": "net",
+                    "type": "TXT"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#52485: query: host122.host122.example.net IN TXT  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host122.host122.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 52485
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host122.host122.example.net.",
+                    "type": "TXT"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#52485 (host122.host122.example.net.): answer: host122.host122.example.net. IN TXT (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host122.host122.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.9",
+                "port": 63494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel-telemetry.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-excel-telemetry.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63494: query: euc-excel-telemetry.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel-telemetry.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 63344
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 63344
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.9",
+                "port": 63494
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-excel-telemetry.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pgteu4-excel-telemetry-vip.officeapps.live.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.232",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel-telemetry.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-excel-telemetry.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pgteu4-excel-telemetry-vip.officeapps.live.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.232",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63494 (euc-excel-telemetry.officeapps.live.com.): answer: euc-excel-telemetry.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 236 CNAME euc-excel-telemetry.wac.trafficmanager.net. 240 CNAME pgteu4-excel-telemetry-vip.officeapps.live.com. 222 A 198.51.100.232 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel-telemetry.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 63344
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.5",
+                "port": 63344
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.5#63344 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.9",
+                "port": 63929
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel-telemetry.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-excel-telemetry.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63929: query: euc-excel-telemetry.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel-telemetry.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.9",
+                "port": 63929
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-excel-telemetry.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pgteu4-excel-telemetry-vip.officeapps.live.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel-telemetry.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-excel-telemetry.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pgteu4-excel-telemetry-vip.officeapps.live.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.9#63929 (euc-excel-telemetry.officeapps.live.com.): answer: euc-excel-telemetry.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 236 CNAME euc-excel-telemetry.wac.trafficmanager.net. 240 CNAME pgteu4-excel-telemetry-vip.officeapps.live.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel-telemetry.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 59257
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.124",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.128",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.124",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.128",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#59257 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.59",
+                "port": 55236
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.59#55236: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.59",
+                "port": 55236
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.59#55236 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.20",
+                "port": 52539
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.20#52539: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.20",
+                "port": 52539
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.20#52539 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 63085
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#63085: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 63085
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#63085 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 51750
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#51750: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 56037
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.184.in-addr.arpa",
+                    "registered_domain": "184.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#56037: query: lb._dns-sd._udp.198.51.100.184.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.184.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 59909
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.1.in-addr.arpa",
+                    "registered_domain": "1.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59909: query: lb._dns-sd._udp.192.0.2.1.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.1.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 51750
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#51750 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 56037
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.184.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#56037 (lb._dns-sd._udp.198.51.100.184.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.184.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.184.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 59909
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.1.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59909 (lb._dns-sd._udp.192.0.2.1.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.1.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.1.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 49417
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.18.in-addr.arpa",
+                    "registered_domain": "18.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#49417: query: lb._dns-sd._udp.198.51.100.18.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.18.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 49417
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.18.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#49417 (lb._dns-sd._udp.198.51.100.18.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.18.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.18.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.53",
+                "port": 51166
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.53#51166: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.53",
+                "port": 51166
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.53#51166 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.67",
+                "port": 50697
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.67#50697: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.67",
+                "port": 50697
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.67#50697 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 39781
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host123.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host123",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781: query: host123.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host123.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 39781
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host123.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host123",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781: query: host123.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host123.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 39781
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.97",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host123.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.97",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781 (host123.example.net.): answer: host123.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.97 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host123.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 39781
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host123.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#39781 (host123.example.net.): answer: host123.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host123.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 44984
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host124",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984: query: host124.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 50542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host125.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host125",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542: query: host125.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host125.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 44984
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host124",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984: query: host124.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 50542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host125.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host125",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542: query: host125.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host125.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 44984
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.238",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.238",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984 (host124.example.net.): answer: host124.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.238 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 44984
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#44984 (host124.example.net.): answer: host124.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 50542
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.70",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host125.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.70",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542 (host125.example.net.): answer: host125.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.70 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host125.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 50542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host125.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#50542 (host125.example.net.): answer: host125.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host125.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 44266
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host126.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host126",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266: query: host126.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host126.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 44266
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host126.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host126",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266: query: host126.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host126.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 44266
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.103",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host126.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.103",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266 (host126.example.net.): answer: host126.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.103 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host126.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 44266
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host126.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#44266 (host126.example.net.): answer: host126.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host126.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 51387
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.linkedin.com",
+                    "registered_domain": "linkedin.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#51387: query: www.linkedin.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.linkedin.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 51387
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cf-afd.www.linkedin.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.linkedin.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cf-afd.www.linkedin.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#51387 (www.linkedin.com.): answer: www.linkedin.com. IN TYPE65 (10.100.0.1) -> NOERROR 111 CNAME cf-afd.www.linkedin.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.linkedin.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 43261
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host127.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host127",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261: query: host127.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host127.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 43261
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host127.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host127",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261: query: host127.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host127.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 43261
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.17",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host127.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.17",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261 (host127.example.net.): answer: host127.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.17 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host127.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 43261
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host127.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43261 (host127.example.net.): answer: host127.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host127.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 56951
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "media.licdn.com",
+                    "registered_domain": "licdn.com",
+                    "subdomain": "media",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#56951: query: media.licdn.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media.licdn.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 56951
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "media.cm.licdn.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "media.licdn.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "media.cm.licdn.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#56951 (media.licdn.com.): answer: media.licdn.com. IN TYPE65 (10.100.0.1) -> NOERROR 227 CNAME media.cm.licdn.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media.licdn.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 60501
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "media.licdn.com",
+                    "registered_domain": "licdn.com",
+                    "subdomain": "media",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#60501: query: media.licdn.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media.licdn.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 60501
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "media.cm.licdn.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "media-fsly.sb.lnkdns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "fs-ak-cf.media.sb.lnkdns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "linkedin.map.fastly.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.7",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.12",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.15",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "media.licdn.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "media.cm.licdn.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "media-fsly.sb.lnkdns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "fs-ak-cf.media.sb.lnkdns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "linkedin.map.fastly.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.7",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.12",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.15",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#60501 (media.licdn.com.): answer: media.licdn.com. IN A (10.100.0.1) -> NOERROR 227 CNAME media.cm.licdn.com. 83 CNAME media-fsly.sb.lnkdns.net. 1563 CNAME fs-ak-cf.media.sb.lnkdns.net. 110 CNAME linkedin.map.fastly.net. 40 A 198.51.100.7 40 A 198.51.100.12 40 A 198.51.100.15 40 A 198.51.100.10 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media.licdn.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 58534
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph-fallback.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "graph-fallback",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#58534: query: graph-fallback.facebook.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph-fallback.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.161",
+                "port": 58534
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "star.fallback.c10r.facebook.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.19",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph-fallback.facebook.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "star.fallback.c10r.facebook.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.19",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.161#58534 (graph-fallback.facebook.com.): answer: graph-fallback.facebook.com. IN A (10.100.0.1) -> NOERROR 3182 CNAME star.fallback.c10r.facebook.com. 22 A 198.51.100.19 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph-fallback.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 53509
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.linkedin.com",
+                    "registered_domain": "linkedin.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#53509: query: www.linkedin.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.linkedin.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36049
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host128.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host128",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049: query: host128.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host128.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36049
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host128.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host128",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049: query: host128.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host128.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 53509
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cf-afd.www.linkedin.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.linkedin.com.cdn.cloudflare.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.204",
+                        "type": "A"
+                    },
+                    {
+                        "data": "172.16.2.77",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.linkedin.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cf-afd.www.linkedin.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.linkedin.com.cdn.cloudflare.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.204",
+                                "type": "A"
+                            },
+                            {
+                                "data": "172.16.2.77",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#53509 (www.linkedin.com.): answer: www.linkedin.com. IN A (10.100.0.1) -> NOERROR 111 CNAME cf-afd.www.linkedin.com. 48 CNAME www.linkedin.com.cdn.cloudflare.net. 107 A 198.51.100.204 107 A 172.16.2.77 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.linkedin.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36049
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.49",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host128.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.49",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049 (host128.example.net.): answer: host128.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.49 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host128.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36049
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host128.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36049 (host128.example.net.): answer: host128.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host128.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 60817
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host129.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host129",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817: query: host129.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host129.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 60817
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host129.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host129",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817: query: host129.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host129.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 60817
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.72",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host129.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.72",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817 (host129.example.net.): answer: host129.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.0.72 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host129.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 60817
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host129.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#60817 (host129.example.net.): answer: host129.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host129.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 48201
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host130.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host130",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201: query: host130.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host130.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 48201
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host130.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host130",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201: query: host130.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host130.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 48201
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.136",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host130.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.136",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201 (host130.example.net.): answer: host130.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.1.136 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host130.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 48201
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host130.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#48201 (host130.example.net.): answer: host130.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host130.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 51196
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host131.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host131",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196: query: host131.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host131.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 51196
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host131.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host131",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196: query: host131.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host131.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 51196
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.139",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host131.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.139",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196 (host131.example.net.): answer: host131.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.1.139 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host131.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 51196
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host131.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#51196 (host131.example.net.): answer: host131.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host131.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.188",
+                "port": 45272
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host132",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272: query: host132.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.188",
+                "port": 45272
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.224",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.224",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272 (host132.example.net.): answer: host132.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.224 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 52227
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52227: query: acrobat.adobe.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 52227
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.124",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.128",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.124",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.128",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#52227 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 33656
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host133.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host133",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656: query: host133.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host133.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 33656
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host133.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host133",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656: query: host133.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host133.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 33656
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.103",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host133.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.103",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656 (host133.example.net.): answer: host133.example.net. IN A (10.100.0.1) -> NOERROR 1800 A 10.1.1.103 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host133.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 33656
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host133.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#33656 (host133.example.net.): answer: host133.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host133.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36788
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host134.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host134",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788: query: host134.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host134.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36788
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host134.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host134",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788: query: host134.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host134.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36788
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.57",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host134.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.57",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788 (host134.example.net.): answer: host134.example.net. IN A (10.100.0.1) -> NOERROR 3600 A 10.1.0.57 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host134.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 36788
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host134.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#36788 (host134.example.net.): answer: host134.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host134.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53681
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host135.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host135",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681: query: host135.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host135.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53681
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host135.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host135",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681: query: host135.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host135.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53681
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.98",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host135.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.98",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681 (host135.example.net.): answer: host135.example.net. IN A (10.100.0.1) -> NOERROR 600 A 10.1.0.98 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host135.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53681
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host135.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53681 (host135.example.net.): answer: host135.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host135.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.188",
+                "port": 45272
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host132",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272: query: host132.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.188",
+                "port": 45272
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.188#45272 (host132.example.net.): answer: host132.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 55918
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.youtube.com",
+                    "registered_domain": "youtube.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#55918: query: www.youtube.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.youtube.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 55918
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "youtube-ui.l.google.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.youtube.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "youtube-ui.l.google.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#55918 (www.youtube.com.): answer: www.youtube.com. IN TYPE65 (10.100.0.1) -> NOERROR 256 CNAME youtube-ui.l.google.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.youtube.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 63506
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.youtube.com",
+                    "registered_domain": "youtube.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#63506: query: www.youtube.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.youtube.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.69",
+                "port": 63506
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "youtube-ui.l.google.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.109",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.253",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.238",
+                        "type": "A"
+                    },
+                    {
+                        "data": "172.16.2.68",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.241",
+                        "type": "A"
+                    },
+                    {
+                        "data": "172.16.2.70",
+                        "type": "A"
+                    },
+                    {
+                        "data": "172.16.2.71",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.164",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.youtube.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "youtube-ui.l.google.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.109",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.253",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.238",
+                                "type": "A"
+                            },
+                            {
+                                "data": "172.16.2.68",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.241",
+                                "type": "A"
+                            },
+                            {
+                                "data": "172.16.2.70",
+                                "type": "A"
+                            },
+                            {
+                                "data": "172.16.2.71",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.164",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.69#63506 (www.youtube.com.): answer: www.youtube.com. IN A (10.100.0.1) -> NOERROR 256 CNAME youtube-ui.l.google.com. 92 A 198.51.100.251 92 A 198.51.100.109 92 A 198.51.100.253 92 A 198.51.100.238 92 A 172.16.2.68 92 A 198.51.100.241 92 A 172.16.2.70 92 A 172.16.2.71 92 A 198.51.100.164 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.youtube.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53418
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host136.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host136",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418: query: host136.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host136.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53418
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host136.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host136",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418: query: host136.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host136.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53418
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.111",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host136.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.111",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418 (host136.example.net.): answer: host136.example.net. IN A (10.100.0.1) -> NOERROR 3600 A 10.1.1.111 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host136.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 53418
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host136.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#53418 (host136.example.net.): answer: host136.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host136.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.108",
+                "port": 58804
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.108#58804: query: graph.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.108",
+                "port": 58804
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.prd.ags.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.142",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.140",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.143",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.141",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.139",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.138",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.149",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.prd.ags.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.142",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.140",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.143",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.141",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.139",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.138",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.149",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.108#58804 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 50880
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com",
+                    "registered_domain": "msftconnecttest.com",
+                    "subdomain": "ipv6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50880: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 50880
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ncsiv6-geo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1968.i6g1.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ncsiv6-geo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1968.i6g1.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50880 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.78",
+                "port": 60581
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#60581: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.78",
+                "port": 60581
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.78#60581 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 49940
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com",
+                    "registered_domain": "msftconnecttest.com",
+                    "subdomain": "ipv6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 49940
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ncsiv6-geo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1968.i6g1.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ncsiv6-geo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1968.i6g1.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#49940 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.170",
+                "port": 51917
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "trk.pinterest.com",
+                    "registered_domain": "pinterest.com",
+                    "subdomain": "trk",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#51917: query: trk.pinterest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "trk.pinterest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.170",
+                "port": 51917
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "vpc-trk-10d1b1f8032805fc.elb.us-east-1.amazonaws.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.228",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.12",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.179",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "trk.pinterest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "vpc-trk-10d1b1f8032805fc.elb.us-east-1.amazonaws.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.228",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.12",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.179",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#51917 (trk.pinterest.com.): answer: trk.pinterest.com. IN A (10.100.0.1) -> NOERROR 6 CNAME vpc-trk-10d1b1f8032805fc.elb.us-east-1.amazonaws.com. 11 A 198.51.100.228 11 A 198.51.100.12 11 A 198.51.100.179 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "trk.pinterest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.59",
+                "port": 58408
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host034",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.59#58408: query: host034.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.59",
+                "port": 58408
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host034.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.59#58408 (host034.example.net.): answer: host034.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host034.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.91",
+                "port": 59678
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.91#59678: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.91",
+                "port": 59678
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.91#59678 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.178",
+                "port": 50620
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.178#50620: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.178",
+                "port": 50620
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.178#50620 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.102",
+                "port": 57874
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.102#57874: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.102",
+                "port": 57874
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.102#57874 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.142",
+                "port": 55587
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-onenote.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-onenote.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#55587: query: euc-onenote.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-onenote.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.142",
+                "port": 55587
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-onenote-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-onenote.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-onenote-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#55587 (euc-onenote.officeapps.live.com.): answer: euc-onenote.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 23 CNAME euc-onenote-geo.wac.trafficmanager.net. 2 CNAME euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 33 CNAME wac-0003.wac-msedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-onenote.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.185",
+                "port": 56945
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host004.host004.host004.host004",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#56945: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.185",
+                "port": 56945
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#56945 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.46",
+                "port": 63775
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com",
+                    "registered_domain": "msftconnecttest.com",
+                    "subdomain": "ipv6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.46",
+                "port": 63775
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ncsiv6-geo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1968.i6g1.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ncsiv6-geo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1968.i6g1.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.9",
+                "port": 60908
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#60908: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.9",
+                "port": 60908
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#60908 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.60",
+                "port": 54515
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euro03.azure-devices.net",
+                    "registered_domain": "azure-devices.net",
+                    "subdomain": "euro03",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.60#54515: query: euro03.azure-devices.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euro03.azure-devices.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 50308
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com",
+                    "registered_domain": "msftconnecttest.com",
+                    "subdomain": "ipv6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50308: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.54",
+                "port": 50308
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ncsiv6-geo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1968.i6g1.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ncsiv6-geo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1968.i6g1.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.54#50308 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.142",
+                "port": 62302
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-onenote.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-onenote.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#62302: query: euc-onenote.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-onenote.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.142",
+                "port": 62302
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-onenote-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-onenote.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-onenote-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.142#62302 (euc-onenote.officeapps.live.com.): answer: euc-onenote.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 22 CNAME euc-onenote-geo.wac.trafficmanager.net. 1 CNAME euc-onenote.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 32 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.235 17 A 198.51.100.236 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-onenote.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.9",
+                "port": 44483
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#44483: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.9",
+                "port": 44483
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#44483 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.58",
+                "port": 62896
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.58#62896: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.58",
+                "port": 62896
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.155",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.155",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.58#62896 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.46",
+                "port": 63775
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com",
+                    "registered_domain": "msftconnecttest.com",
+                    "subdomain": "ipv6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.46",
+                "port": 63775
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ncsiv6-geo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1968.i6g1.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ncsiv6-geo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1968.i6g1.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#63775 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.46",
+                "port": 62119
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com",
+                    "registered_domain": "msftconnecttest.com",
+                    "subdomain": "ipv6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#62119: query: ipv6.msftconnecttest.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.46",
+                "port": 62119
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ncsiv6-geo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1968.i6g1.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ipv6.msftconnecttest.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ncsiv6-geo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ipv6.msftconnecttest.com.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1968.i6g1.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.46#62119 (ipv6.msftconnecttest.com.): answer: ipv6.msftconnecttest.com. IN A (10.100.0.1) -> NOERROR 358 CNAME ncsiv6-geo.trafficmanager.net. 70242 CNAME ipv6.msftconnecttest.com.edgesuite.net. 11153 CNAME a1968.i6g1.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ipv6.msftconnecttest.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.9",
+                "port": 52258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com",
+                    "registered_domain": "azure.com",
+                    "subdomain": "md-prod-simcon-ip128.westeurope.cloudapp",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#52258: query: md-prod-simcon-ip128.westeurope.cloudapp.azure.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "md-prod-simcon-ip128.westeurope.cloudapp.azure.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.9",
+                "port": 52258
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.9#52258 (md-prod-simcon-ip128.westeurope.cloudapp.azure.com.): answer: md-prod-simcon-ip128.westeurope.cloudapp.azure.com. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "md-prod-simcon-ip128.westeurope.cloudapp.azure.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.170",
+                "port": 51218
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.170#51218: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.170",
+                "port": 51218
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.170#51218 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.149",
+                "port": 61768
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.149#61768: query: outlook.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.149",
+                "port": 61768
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.149#61768 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 7 A 198.51.100.10 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.185",
+                "port": 51248
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host005",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#51248: query: host005.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.185",
+                "port": 51248
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.228",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.228",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.185#51248 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.14",
+                "port": 50334
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.cp.wd.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.cp.wd",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.14#50334: query: europe.cp.wd.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.cp.wd.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.14",
+                "port": 50334
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "wd-prod-cp-eu.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.227",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.cp.wd.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "wd-prod-cp-eu.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.227",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.14#50334 (europe.cp.wd.microsoft.com.): answer: europe.cp.wd.microsoft.com. IN A (10.100.0.1) -> NOERROR 982 CNAME wd-prod-cp-eu.trafficmanager.net. 208 CNAME wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com. 5 A 198.51.100.227 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.cp.wd.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.174",
+                "port": 51527
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "msedge.api.cdp.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "msedge.api.cdp",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.174#51527: query: msedge.api.cdp.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "msedge.api.cdp.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.174",
+                "port": 51527
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "api.cdp.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "glb.api.prod.dcat.dsp.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.51",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "msedge.api.cdp.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "api.cdp.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "glb.api.prod.dcat.dsp.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.51",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.174#51527 (msedge.api.cdp.microsoft.com.): answer: msedge.api.cdp.microsoft.com. IN A (10.100.0.1) -> NOERROR 180 CNAME api.cdp.microsoft.com. 3078 CNAME glb.api.prod.dcat.dsp.trafficmanager.net. 43 A 198.51.100.51 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "msedge.api.cdp.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.60",
+                "port": 54515
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gateway-prod-gw-uksouth-3-tls10-g2.uksouth.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.229",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "EURO03.azure-devices.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gateway-prod-gw-uksouth-3-tls10-g2.uksouth.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.229",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.60#54515 (EURO03.azure-devices.net.): answer: EURO03.azure-devices.net. IN A (10.100.0.1) -> NOERROR 95 CNAME gateway-prod-gw-uksouth-3-tls10-g2.uksouth.cloudapp.azure.com. 10 A 198.51.100.229 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "EURO03.azure-devices.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51568
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51568: query: acrobat.adobe.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51568
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.128",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.124",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.128",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.124",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51568 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.128 20 A 198.51.100.124 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56743
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56743: query: acrobat.adobe.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56743
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56743 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 56053
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lcdn-locator.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "lcdn-locator",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56053: query: lcdn-locator.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lcdn-locator.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 56053
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "lcdn-locator.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "lcdn-locator.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "lcdn-locator.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#56053 (lcdn-locator.apple.com.): answer: lcdn-locator.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 27514 CNAME lcdn-locator.apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lcdn-locator.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 44665
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host137.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host137",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665: query: host137.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host137.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 44665
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host137.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host137",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665: query: host137.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host137.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 44665
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host137.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665 (host137.example.net.): answer: host137.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host137.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 44665
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host137.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#44665 (host137.example.net.): answer: host137.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host137.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 64579
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64579: query: dns.umbrella.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 64579
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.161",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.160",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.161",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.160",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#64579 (dns.umbrella.com.): answer: dns.umbrella.com. IN A (10.100.0.1) -> NOERROR 376 A 198.51.100.161 376 A 198.51.100.160 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.45",
+                "port": 51416
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host059.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host059",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.45#51416: query: host059.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host059.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.190",
+                "port": 63182
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host138.host138.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host138.host138",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.190#63182: query: host138.host138.example.net IN A  (10.1.0.189)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host138.host138.example.net"
+                ],
+                "ip": [
+                    "10.1.0.189"
+                ]
+            },
+            "server": {
+                "ip": "10.1.0.189"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.45",
+                "port": 51416
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.227",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host059.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.227",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.45#51416 (host059.example.net.): answer: host059.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.227 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host059.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 57694
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57694: query: dns.opendns.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 57694
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#57694 (dns.opendns.com.): answer: dns.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 50294
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa",
+                    "registered_domain": "resolver.arpa",
+                    "subdomain": "_dns",
+                    "top_level_domain": "arpa",
+                    "type": "TYPE64"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50294: query: _dns.resolver.arpa IN TYPE64  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 50294
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "_dns.resolver.arpa.",
+                    "type": "TYPE64"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#50294 (_dns.resolver.arpa.): answer: _dns.resolver.arpa. IN TYPE64 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "_dns.resolver.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 50260
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lcdn-locator.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "lcdn-locator",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#50260: query: lcdn-locator.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lcdn-locator.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 50260
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "lcdn-locator.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "lcdn-locator-usuqo.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.22",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "lcdn-locator.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "lcdn-locator.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "lcdn-locator-usuqo.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.22",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#50260 (lcdn-locator.apple.com.): answer: lcdn-locator.apple.com. IN A (10.100.0.1) -> NOERROR 27514 CNAME lcdn-locator.apple.com.akadns.net. 15 CNAME lcdn-locator-usuqo.apple.com.akadns.net. 38 A 198.51.100.22 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lcdn-locator.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 61200
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#61200: query: dns.opendns.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 61200
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.160",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.161",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.opendns.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.160",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.161",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#61200 (dns.opendns.com.): answer: dns.opendns.com. IN A (10.100.0.1) -> NOERROR 2380 A 198.51.100.160 2380 A 198.51.100.161 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 60709
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mira-ofc.tm-4.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "mira-ofc.tm-4",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#60709: query: mira-ofc.tm-4.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mira-ofc.tm-4.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 60709
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.238",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mira-ofc.tm-4.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.238",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#60709 (mira-ofc.tm-4.office.com.): answer: mira-ofc.tm-4.office.com. IN A (10.100.0.1) -> NOERROR 6 A 198.51.100.248 6 A 198.51.100.247 6 A 198.51.100.245 6 A 198.51.100.238 6 A 198.51.100.242 6 A 198.51.100.246 6 A 198.51.100.243 6 A 198.51.100.244 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mira-ofc.tm-4.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 55760
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#55760: query: doh.umbrella.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 55760
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#55760 (doh.umbrella.com.): answer: doh.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 62432
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#62432: query: doh.opendns.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 62432
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.254",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.254",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#62432 (doh.opendns.com.): answer: doh.opendns.com. IN A (10.100.0.1) -> NOERROR 114 A 198.51.100.254 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 65243
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#65243: query: doh.umbrella.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 65243
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.255",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "doh.umbrella.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.255",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#65243 (doh.umbrella.com.): answer: doh.umbrella.com. IN A (10.100.0.1) -> NOERROR 1 A 198.51.100.255 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 49322
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com",
+                    "registered_domain": "opendns.com",
+                    "subdomain": "doh",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49322: query: doh.opendns.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 49322
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "doh.opendns.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#49322 (doh.opendns.com.): answer: doh.opendns.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "doh.opendns.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.84",
+                "port": 62056
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-telemetry.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#62056: query: euc-word-telemetry.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.84",
+                "port": 62056
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.233",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.233",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#62056 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. 5 A 198.51.100.233 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.84",
+                "port": 63242
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-telemetry.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#63242: query: euc-word-telemetry.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.84",
+                "port": 63242
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.84#63242 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.150",
+                "port": 59826
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#59826: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.150",
+                "port": 59826
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#59826 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.193",
+                "port": 46619
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619: query: edr-weu.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.193",
+                "port": 46619
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.158",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.158",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 15 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. 3 A 198.51.100.158 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.193",
+                "port": 46619
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "edr-weu.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619: query: edr-weu.eu.endpoint.security.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.193",
+                "port": 46619
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "edr-weu.eu.endpoint.security.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip128.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.193#46619 (edr-weu.eu.endpoint.security.microsoft.com.): answer: edr-weu.eu.endpoint.security.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 177 CNAME md-prod-simcon-geoedr-tm-westeurope.trafficmanager.net. 269 CNAME md-prod-simcon-ip128.westeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "edr-weu.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.61",
+                "port": 63557
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#63557: query: substrate.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.61",
+                "port": 63557
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.61#63557 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.11 7 A 198.51.100.10 7 A 198.51.100.218 7 A 198.51.100.6 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.152",
+                "port": 56843
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host139.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host139",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#56843: query: host139.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host139.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.152",
+                "port": 56843
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host140.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#56843 (host140.example.net.): answer: host140.example.net. IN A (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host140.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.152",
+                "port": 55122
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host141.host141.host141.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host141.host141.host141",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#55122: query: host141.host141.host141.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host141.host141.host141.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.152",
+                "port": 55122
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host142.host142.host142.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.152#55122 (host142.host142.host142.example.net.): answer: host142.host142.host142.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host142.host142.host142.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.131",
+                "port": 65073
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-edit.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-edit.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.131#65073: query: euc-word-edit.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-edit.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.131",
+                "port": 65073
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-edit-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-edit.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-edit-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.131#65073 (euc-word-edit.officeapps.live.com.): answer: euc-word-edit.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 3 CNAME euc-word-edit-geo.wac.trafficmanager.net. 14 CNAME euc-word-edit.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 20 CNAME wac-0003.wac-msedge.net. 18 A 198.51.100.236 18 A 198.51.100.235 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-edit.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.87",
+                "port": 50122
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.87#50122: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.87",
+                "port": 50122
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.87#50122 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.177",
+                "port": 57792
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "array514.prod.do.dsp.mp.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "array514.prod.do.dsp.mp",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.177#57792: query: array514.prod.do.dsp.mp.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "array514.prod.do.dsp.mp.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.177",
+                "port": 57792
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.50",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "array514.prod.do.dsp.mp.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.50",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.177#57792 (array514.prod.do.dsp.mp.microsoft.com.): answer: array514.prod.do.dsp.mp.microsoft.com. IN A (10.100.0.1) -> NOERROR 2679 A 198.51.100.50 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "array514.prod.do.dsp.mp.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.99",
+                "port": 58671
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "features.netscalergateway.net",
+                    "registered_domain": "netscalergateway.net",
+                    "subdomain": "features",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.99#58671: query: features.netscalergateway.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "features.netscalergateway.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.99",
+                "port": 58671
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "features.netscalergateway.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "az-eu-w-features.netscalergateway.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "lb-traefik-ngs-production-client.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.34",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "features.netscalergateway.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "features.netscalergateway.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "az-eu-w-features.netscalergateway.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "lb-traefik-ngs-production-client.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.34",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.99#58671 (features.netscalergateway.net.): answer: features.netscalergateway.net. IN A (10.100.0.1) -> NOERROR 21 CNAME features.netscalergateway.net.akadns.net. 13 CNAME az-eu-w-features.netscalergateway.net. 1 CNAME lb-traefik-ngs-production-client.westeurope.cloudapp.azure.com. 3 A 198.51.100.34 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "features.netscalergateway.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.67",
+                "port": 53210
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host004.host004.host004.host004",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.67",
+                "port": 53210
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 56173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com",
+                    "registered_domain": "umbrella.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56173: query: dns.umbrella.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.173",
+                "port": 56173
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.umbrella.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.173#56173 (dns.umbrella.com.): answer: dns.umbrella.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.umbrella.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.151",
+                "port": 50235
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.151#50235: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.151",
+                "port": 50235
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.151#50235 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.19",
+                "port": 62903
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.19#62903: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.19",
+                "port": 62903
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.19#62903 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.152",
+                "port": 53256
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#53256: query: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.116",
+                "port": 57937
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.116#57937: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.116",
+                "port": 57937
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.116#57937 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.208 99 A 198.51.100.148 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.90",
+                "port": 49563
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host004.host004.host004.host004",
+                    "top_level_domain": "net",
+                    "type": "SRV"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.90#49563: query: host004.host004.host004.host004.example.net IN SRV  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.90",
+                "port": 49563
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "0 100 389 host005.example.net.",
+                        "type": "SRV"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host004.host004.host004.host004.example.net.",
+                    "type": "SRV"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "0 100 389 host005.example.net.",
+                                "type": "SRV"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.90#49563 (host004.host004.host004.host004.example.net.): answer: host004.host004.host004.host004.example.net. IN SRV (10.100.0.1) -> NOERROR 600 SRV 0 100 389 host005.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host004.host004.host004.host004.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 50843
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.booking.com",
+                    "registered_domain": "booking.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#50843: query: www.booking.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.booking.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 50843
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "d1of1hbywxxm65.cloudfront.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.107",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.104",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.106",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.105",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.booking.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "d1of1hbywxxm65.cloudfront.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.107",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.104",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.106",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.105",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#50843 (www.booking.com.): answer: www.booking.com. IN A (10.100.0.1) -> NOERROR 467 CNAME d1of1hbywxxm65.cloudfront.net. 24 A 198.51.100.107 24 A 198.51.100.104 24 A 198.51.100.106 24 A 198.51.100.105 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.booking.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 55015
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host132",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015: query: host132.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 55015
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host132",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015: query: host132.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 55015
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.224",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.224",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015 (host132.example.net.): answer: host132.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.224 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 55015
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#55015 (host132.example.net.): answer: host132.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.152",
+                "port": 51053
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#51053: query: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.67",
+                "port": 53210
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host005",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210: query: host005.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.67",
+                "port": 53210
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.228",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host005.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.228",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.67#53210 (host005.example.net.): answer: host005.example.net. IN A (10.100.0.1) -> NOERROR 1200 A 10.1.0.228 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host005.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.21",
+                "port": 60618
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "config.edge.skype.com",
+                    "registered_domain": "skype.com",
+                    "subdomain": "config.edge",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#60618: query: config.edge.skype.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "config.edge.skype.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.21",
+                "port": 60618
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "config.edge.skype.com.trafficmanager.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "config.edge.skype.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "config.edge.skype.com.trafficmanager.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#60618 (config.edge.skype.com.): answer: config.edge.skype.com. IN TYPE65 (10.100.0.1) -> NOERROR 7182 CNAME config.edge.skype.com.trafficmanager.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "config.edge.skype.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.21",
+                "port": 58136
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "config.edge.skype.com",
+                    "registered_domain": "skype.com",
+                    "subdomain": "config.edge",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#58136: query: config.edge.skype.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "config.edge.skype.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.21",
+                "port": 58136
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "config.edge.skype.com.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ln-0007.config.skype.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "config-edge-skype.ln-0007.ln-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ln-0007.ln-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.2",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "config.edge.skype.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "config.edge.skype.com.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ln-0007.config.skype.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "config-edge-skype.ln-0007.ln-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ln-0007.ln-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.2",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.21#58136 (config.edge.skype.com.): answer: config.edge.skype.com. IN A (10.100.0.1) -> NOERROR 7182 CNAME config.edge.skype.com.trafficmanager.net. 37 CNAME ln-0007.config.skype.com. 2449 CNAME config-edge-skype.ln-0007.ln-msedge.net. 207 CNAME ln-0007.ln-msedge.net. 108 A 198.51.100.2 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "config.edge.skype.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 51564
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#51564: query: substrate.office.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 51564
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#51564 (substrate.office.com.): answer: substrate.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 53605
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53605: query: substrate.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.48",
+                "port": 53605
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.48#53605 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.11 7 A 198.51.100.10 7 A 198.51.100.218 7 A 198.51.100.6 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 60953
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lcdn-locator.apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "lcdn-locator.apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#60953: query: lcdn-locator.apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lcdn-locator.apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.134",
+                "port": 60953
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lcdn-locator.apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.134#60953 (lcdn-locator.apple.com.akadns.net.): answer: lcdn-locator.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lcdn-locator.apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.152",
+                "port": 53256
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#53256 (partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net.): answer: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net. IN AAAA (10.100.0.1) -> NOERROR 6 CNAME cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net. 18 CNAME partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.121",
+                "port": 65384
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-spclient",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#65384: query: gew4-spclient.spotify.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.121",
+                "port": 65384
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#65384 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN TYPE65 (10.100.0.1) -> NOERROR 139 CNAME edge-web-gew4.dual-gslb.spotify.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.121",
+                "port": 55641
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com",
+                    "registered_domain": "spotify.com",
+                    "subdomain": "gew4-spclient",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#55641: query: gew4-spclient.spotify.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.121",
+                "port": 55641
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.202",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gew4-spclient.spotify.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "edge-web-gew4.dual-gslb.spotify.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.202",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.121#55641 (gew4-spclient.spotify.com.): answer: gew4-spclient.spotify.com. IN A (10.100.0.1) -> NOERROR 138 CNAME edge-web-gew4.dual-gslb.spotify.com. 37 A 198.51.100.202 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gew4-spclient.spotify.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 62386
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "cdn.cookielaw.org",
+                    "registered_domain": "cookielaw.org",
+                    "subdomain": "cdn",
+                    "top_level_domain": "org",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386: query: cdn.cookielaw.org IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdn.cookielaw.org"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 62386
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.206",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.205",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "cdn.cookielaw.org.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.206",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.205",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#62386 (cdn.cookielaw.org.): answer: cdn.cookielaw.org. IN A (10.100.0.1) -> NOERROR 207 A 198.51.100.206 207 A 198.51.100.205 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "cdn.cookielaw.org."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 43628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.80.in-addr.arpa",
+                    "registered_domain": "80.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43628: query: 198.51.100.80.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.80.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.222",
+                "port": 43628
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host143.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.80.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host143.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.222#43628 (198.51.100.80.in-addr.arpa.): answer: 198.51.100.80.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host143.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.80.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.220",
+                "port": 51327
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.220#51327: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.220",
+                "port": 51327
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.220#51327 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.152",
+                "port": 51053
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "partition-cname-trouter-ic3-edf-trouter-service-trouter-2.d02-027.ic3-edf-tr",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "partition-cname-trouter-ic3-edf-trouter-service-trouter-2.d02-027.ic3-edf-tr",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#51053 (partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net.): answer: partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net. IN A (10.100.0.1) -> NOERROR 6 CNAME cosmic-northeurope-ns-5ad59b4881b2.trafficmanager.net. 15 CNAME partition-cname-trouter-ic3-edf-trouter-service-trouter-2.d02-027.ic3-edf-tr"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "partition-cname-trouter.pub-ent-euno-06.ic3-edf-trouter.northeurope-prod.cosmic.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 53568
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "t-cf.bstatic.com",
+                    "registered_domain": "bstatic.com",
+                    "subdomain": "t-cf",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568: query: t-cf.bstatic.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "t-cf.bstatic.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.35",
+                "port": 53568
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "d2i5gg36g14bzn.cloudfront.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.85",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.86",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.91",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.88",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "t-cf.bstatic.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "d2i5gg36g14bzn.cloudfront.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.85",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.86",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.91",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.88",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.35#53568 (t-cf.bstatic.com.): answer: t-cf.bstatic.com. IN A (10.100.0.1) -> NOERROR 1668 CNAME d2i5gg36g14bzn.cloudfront.net. 11 A 198.51.100.85 11 A 198.51.100.86 11 A 198.51.100.91 11 A 198.51.100.88 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "t-cf.bstatic.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 42167
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host144.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host144",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167: query: host144.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host144.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 42167
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host144.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host144",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167: query: host144.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host144.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 42167
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.211",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host144.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.211",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167 (host144.example.net.): answer: host144.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.211 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host144.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 42167
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host144.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#42167 (host144.example.net.): answer: host144.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host144.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.158",
+                "port": 57886
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "weatherkit.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "weatherkit",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#57886: query: weatherkit.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "weatherkit.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.158",
+                "port": 57886
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "weatherkit.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "weatherkit.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "weatherkit.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#57886 (weatherkit.apple.com.): answer: weatherkit.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 2881 CNAME weatherkit.apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "weatherkit.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.169",
+                "port": 56746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host145.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host145",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746: query: host145.example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host145.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.169",
+                "port": 56746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host146.example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746 (host146.example.net.): answer: host146.example.net. IN SOA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host146.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.190",
+                "port": 57427
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "182.10.in-addr.arpa",
+                    "registered_domain": "10.in-addr.arpa",
+                    "subdomain": "182",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.190#57427: query: 182.10.in-addr.arpa IN SOA  (10.1.0.189)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "182.10.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.1.0.189"
+                ]
+            },
+            "server": {
+                "ip": "10.1.0.189"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.158",
+                "port": 58840
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "weatherkit.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "weatherkit",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#58840: query: weatherkit.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "weatherkit.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.158",
+                "port": 58840
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "weatherkit.apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "weather-data.apple.com.akamaized.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a2047.dscapi9.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.195",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.194",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.192",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.199",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.198",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.196",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.193",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.197",
+                        "type": "A"
+                    },
+                    {
+                        "data": "104.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "weatherkit.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "weatherkit.apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "weather-data.apple.com.akamaized.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a2047.dscapi9.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.195",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.194",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.192",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.199",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.198",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.196",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.193",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.197",
+                                "type": "A"
+                            },
+                            {
+                                "data": "104.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#58840 (weatherkit.apple.com.): answer: weatherkit.apple.com. IN A (10.100.0.1) -> NOERROR 2881 CNAME weatherkit.apple.com.akadns.net. 52 CNAME weather-data.apple.com.akamaized.net. 9385 CNAME a2047.dscapi9.akamai.net. 5 A 198.51.100.195 5 A 198.51.100.194 5 A 198.51.100.192 5 A 198.51.100.199 5 A 198.51.100.198 5 A 198.51.100.196 5 A 198.51.100.193 5 A 198.51.100.197 5 A 104.1"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "weatherkit.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 35013
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host147.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host147",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013: query: host147.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host147.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 35013
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host147.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host147",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013: query: host147.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host147.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 35013
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.212",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host147.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.212",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013 (host147.example.net.): answer: host147.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.212 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host147.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.202",
+                "port": 35013
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host147.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.202#35013 (host147.example.net.): answer: host147.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host147.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.184",
+                "port": 52456
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa",
+                    "registered_domain": "2.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.192.0.2",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#52456: query: lb._dns-sd._udp.192.0.2.2.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.184",
+                "port": 52456
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.192.0.2.2.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#52456 (lb._dns-sd._udp.192.0.2.2.in-addr.arpa.): answer: lb._dns-sd._udp.192.0.2.2.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.192.0.2.2.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.184",
+                "port": 63628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host021.host021.host021",
+                    "top_level_domain": "net",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#63628: query: host021.host021.host021.example.net IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.184",
+                "port": 63628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host021.host021.host021.example.net.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#63628 (host021.host021.host021.example.net.): answer: host021.host021.host021.example.net. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host021.host021.host021.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.87",
+                "port": 62518
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host022.host022.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host022.host022",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.87#62518: query: host022.host022.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host022.host022.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.184",
+                "port": 60235
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.162.in-addr.arpa",
+                    "registered_domain": "162.in-addr.arpa",
+                    "subdomain": "lb._dns-sd._udp.198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#60235: query: lb._dns-sd._udp.198.51.100.162.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.162.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.184",
+                "port": 60235
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "lb._dns-sd._udp.198.51.100.162.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.184#60235 (lb._dns-sd._udp.198.51.100.162.in-addr.arpa.): answer: lb._dns-sd._udp.198.51.100.162.in-addr.arpa. IN PTR (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "lb._dns-sd._udp.198.51.100.162.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.87",
+                "port": 62518
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host023.host023.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.87#62518 (host023.host023.example.net.): answer: host023.host023.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host023.host023.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.29",
+                "port": 56153
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.29#56153: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.29",
+                "port": 56153
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.29#56153 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.71",
+                "port": 60092
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "self.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "self.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.71#60092: query: self.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "self.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.71",
+                "port": 60092
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "self-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdweu03.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.213",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "self.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "self-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdweu03.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.213",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.71#60092 (self.events.data.microsoft.com.): answer: self.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 37 CNAME self-events-data.trafficmanager.net. 7 CNAME onedscolprdweu03.westeurope.cloudapp.azure.com. 0 A 198.51.100.213 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "self.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.169",
+                "port": 56746
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host015.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host015",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746: query: host015.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host015.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.169",
+                "port": 56746
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.189",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host015.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.189",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.169#56746 (host015.example.net.): answer: host015.example.net. IN A (10.100.0.1) -> NOERROR 600 A 10.1.0.189 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host015.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.65",
+                "port": 52118
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.65#52118: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.65",
+                "port": 52118
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.65#52118 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.158",
+                "port": 51428
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "weatherkit.apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "weatherkit.apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#51428: query: weatherkit.apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "weatherkit.apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.158",
+                "port": 51428
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "weather-data.apple.com.akamaized.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a2047.dscapi9.akamai.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "weatherkit.apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "weather-data.apple.com.akamaized.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a2047.dscapi9.akamai.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.158#51428 (weatherkit.apple.com.akadns.net.): answer: weatherkit.apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 10 CNAME weather-data.apple.com.akamaized.net. 9385 CNAME a2047.dscapi9.akamai.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "weatherkit.apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.104",
+                "port": 57182
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#57182: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.104",
+                "port": 57182
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#57182 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.104",
+                "port": 51027
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#51027: query: browser.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.104",
+                "port": 51027
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.104#51027 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 64835
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#64835: query: turbo.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 64835
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#64835 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.107",
+                "port": 51019
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.107#51019: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.107",
+                "port": 51019
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.107#51019 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 60279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#60279: query: turbo.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 60279
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-b01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-b01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#60279 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.152",
+                "port": 60989
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#60989: query: partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.52",
+                "port": 58498
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.52#58498: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.52",
+                "port": 58498
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.52#58498 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.18",
+                "port": 51279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host148.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host148",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.18#51279: query: host148.example.net IN SOA  (10.1.0.189)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host148.example.net"
+                ],
+                "ip": [
+                    "10.1.0.189"
+                ]
+            },
+            "server": {
+                "ip": "10.1.0.189"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.18",
+                "port": 51279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host148.example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "SERVFAIL"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.18#51279 (host148.example.net.): answer: host148.example.net. IN SOA (10.1.0.189) -> SERVFAIL "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host148.example.net."
+                ],
+                "ip": [
+                    "10.1.0.189"
+                ]
+            },
+            "server": {
+                "ip": "10.1.0.189"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 63962
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "signaler-pa.clients6.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "signaler-pa.clients6",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#63962: query: signaler-pa.clients6.google.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "signaler-pa.clients6.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 63962
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "signaler-pa.clients6.google.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#63962 (signaler-pa.clients6.google.com.): answer: signaler-pa.clients6.google.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "signaler-pa.clients6.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 55732
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#55732: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.146",
+                "port": 55732
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.146#55732 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.152",
+                "port": 60989
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.253",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.253",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.152#60989 (partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net.): answer: partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net. IN A (10.100.0.1) -> NOERROR 18 A 198.51.100.253 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "partition-cname-trouter-ic3-edf-trouter-service-trouter-1.d02-027.ic3-edf-trouter.01-northeurope-prod.cosmic.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 64836
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.linkedin.com.cdn.cloudflare.net",
+                    "registered_domain": "cloudflare.net",
+                    "subdomain": "www.linkedin.com.cdn",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#64836: query: www.linkedin.com.cdn.cloudflare.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.linkedin.com.cdn.cloudflare.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.156",
+                "port": 64836
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.linkedin.com.cdn.cloudflare.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.156#64836 (www.linkedin.com.cdn.cloudflare.net.): answer: www.linkedin.com.cdn.cloudflare.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.linkedin.com.cdn.cloudflare.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.169",
+                "port": 60715
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "denied"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<27>Apr 17 12:39:52 eip-dns-test01 named[38626]: client @0x22b4a6b66d10 10.1.1.169#60715: update 'example.net/IN' denied"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 38626
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ]
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 53686
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "signaler-pa.clients6.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "signaler-pa.clients6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#53686: query: signaler-pa.clients6.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "signaler-pa.clients6.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 53686
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "172.16.2.69",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "signaler-pa.clients6.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "172.16.2.69",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#53686 (signaler-pa.clients6.google.com.): answer: signaler-pa.clients6.google.com. IN A (10.100.0.1) -> NOERROR 196 A 172.16.2.69 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "signaler-pa.clients6.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.144",
+                "port": 57844
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.144#57844: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.144",
+                "port": 57844
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.144#57844 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.181",
+                "port": 63814
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "faster.typekit.net",
+                    "registered_domain": "typekit.net",
+                    "subdomain": "faster",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814: query: faster.typekit.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "faster.typekit.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.150",
+                "port": 61251
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#61251: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.150",
+                "port": 61251
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.150#61251 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 53617
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#53617: query: eu-office.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 53617
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#53617 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.180",
+                "port": 57956
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "self.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "self.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.180#57956: query: self.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "self.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.180",
+                "port": 57956
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "self-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdweu03.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.213",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "self.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "self-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdweu03.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.213",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.180#57956 (self.events.data.microsoft.com.): answer: self.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 37 CNAME self-events-data.trafficmanager.net. 7 CNAME onedscolprdweu03.westeurope.cloudapp.azure.com. 0 A 198.51.100.213 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "self.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.170",
+                "port": 56918
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "notify.bugsnag.com",
+                    "registered_domain": "bugsnag.com",
+                    "subdomain": "notify",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#56918: query: notify.bugsnag.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "notify.bugsnag.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.170",
+                "port": 56918
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.201",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "notify.bugsnag.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.201",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.170#56918 (notify.bugsnag.com.): answer: notify.bugsnag.com. IN A (10.100.0.1) -> NOERROR 9 A 198.51.100.201 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "notify.bugsnag.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.10",
+                "port": 55264
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host029.host029.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host029.host029",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#55264: query: host029.host029.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host029.host029.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.10",
+                "port": 55264
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.29",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host029.host029.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.29",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.10#55264 (host029.host029.example.net.): answer: host029.host029.example.net. IN A (10.100.0.1) -> NOERROR 0 A 10.1.1.29 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host029.host029.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.36",
+                "port": 59974
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "v10.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.36#59974: query: v10.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.36",
+                "port": 59974
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.154",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.154",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.36#59974 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 62530
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-office.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#62530: query: eu-office.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 62530
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.aria.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.155",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-office.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.aria.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.155",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#62530 (eu-office.events.data.microsoft.com.): answer: eu-office.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 88 CNAME eu.aria.events.data.trafficmanager.net. 11 CNAME onedscolprdneu02.northeurope.cloudapp.azure.com. 2 A 198.51.100.155 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-office.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51117
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "m365.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "m365",
+                    "top_level_domain": "microsoft",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51117: query: m365.cloud.microsoft IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "m365.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 51117
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "m365.cloud.microsoft.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#51117 (m365.cloud.microsoft.): answer: m365.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "m365.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56538
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "m365.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "m365",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56538: query: m365.cloud.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "m365.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 56538
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "officehomemcm.anc.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "officehomemcm.afdcafe.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "home-office365-com.b-0004.b-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "b-0004.b-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.212",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "m365.cloud.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "officehomemcm.anc.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "officehomemcm.afdcafe.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "home-office365-com.b-0004.b-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "b-0004.b-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.212",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#56538 (m365.cloud.microsoft.): answer: m365.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 53 CNAME officehomemcm.anc.tm.svc.cloud.microsoft. 8 CNAME officehomemcm.afdcafe.tm.svc.cloud.microsoft. 41 CNAME home-office365-com.b-0004.b-msedge.net. 118 CNAME b-0004.b-msedge.net. 11 A 198.51.100.212 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "m365.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.23",
+                "port": 40411
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host149.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host149",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411: query: host149.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host149.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.23",
+                "port": 40411
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host149.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host149",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411: query: host149.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host149.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.23",
+                "port": 40411
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.242",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host149.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.242",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411 (host149.example.net.): answer: host149.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.242 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host149.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.23",
+                "port": 40411
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host149.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.23#40411 (host149.example.net.): answer: host149.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host149.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.24",
+                "port": 60102
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.24#60102: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.24",
+                "port": 60102
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.24#60102 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 51651
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "onedscolprdneu02.northeurope.cloudapp.azure.com",
+                    "registered_domain": "azure.com",
+                    "subdomain": "onedscolprdneu02.northeurope.cloudapp",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#51651: query: onedscolprdneu02.northeurope.cloudapp.azure.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "onedscolprdneu02.northeurope.cloudapp.azure.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.77",
+                "port": 50190
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "identity.osi.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "identity.osi",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#50190: query: identity.osi.office.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "identity.osi.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.77",
+                "port": 50190
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod.identity1.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "identity.osi.office.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod.identity1.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#50190 (identity.osi.office.net.): answer: identity.osi.office.net. IN TYPE65 (10.100.0.1) -> NOERROR 904 CNAME prod.identity1.osi.office.net.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "identity.osi.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.77",
+                "port": 52190
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "identity.osi.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "identity.osi",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#52190: query: identity.osi.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "identity.osi.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.77",
+                "port": 52190
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod.identity1.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eur.identity1.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "3pidentity-prod-defaultgeo.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.237",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.240",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.239",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.241",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "identity.osi.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod.identity1.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eur.identity1.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "3pidentity-prod-defaultgeo.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "atm.office.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.237",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.240",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.239",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.241",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.77#52190 (identity.osi.office.net.): answer: identity.osi.office.net. IN A (10.100.0.1) -> NOERROR 904 CNAME prod.identity1.osi.office.net.akadns.net. 142 CNAME eur.identity1.osi.office.net.akadns.net. 246 CNAME 3pidentity-prod-defaultgeo.trafficmanager.net. 49 CNAME atm.office.mira.tm.svc.cloud.microsoft. 9 A 198.51.100.237 9 A 198.51.100.240 9 A 198.51.100.239 9 A 198.51.100.241 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "identity.osi.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 52371
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#52371: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 52371
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#52371 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.181",
+                "port": 63814
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "faster.typekit.net-stls-v3.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1962.dscg.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.114",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.122",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "faster.typekit.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "faster.typekit.net-stls-v3.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1962.dscg.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.114",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.122",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.181#63814 (faster.typekit.net.): answer: faster.typekit.net. IN A (10.100.0.1) -> NOERROR 49 CNAME faster.typekit.net-stls-v3.edgesuite.net. 15555 CNAME a1962.dscg.akamai.net. 20 A 198.51.100.114 20 A 198.51.100.122 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "faster.typekit.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 64444
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#64444: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.72",
+                "port": 64444
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.72#64444 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.249 115 A 198.51.100.246 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.171",
+                "port": 64564
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#64564: query: outlook.office.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.171",
+                "port": 64564
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#64564 (outlook.office.com.): answer: outlook.office.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.171",
+                "port": 59964
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#59964: query: outlook.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.171",
+                "port": 59964
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.171#59964 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.104",
+                "port": 57193
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.104#57193: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.104",
+                "port": 57193
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.104#57193 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.127",
+                "port": 51465
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host150.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host150",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465: query: host150.example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host150.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.175",
+                "port": 63931
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "cf-viva.viva-forum.production.183295429382.eu-west-1.cloud.kompas.services.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "djornz5oeyhvf.cloudfront.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.87",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.90",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.84",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.89",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "forum.viva.nl.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "cf-viva.viva-forum.production.183295429382.eu-west-1.cloud.kompas.services.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "djornz5oeyhvf.cloudfront.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.87",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.90",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.84",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.89",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#63931 (forum.viva.nl.): answer: forum.viva.nl. IN A (10.100.0.1) -> NOERROR 300 CNAME cf-viva.viva-forum.production.183295429382.eu-west-1.cloud.kompas.services. 300 CNAME djornz5oeyhvf.cloudfront.net. 60 A 198.51.100.87 60 A 198.51.100.90 60 A 198.51.100.84 60 A 198.51.100.89 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "forum.viva.nl."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.127",
+                "port": 51465
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host151.example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465 (host151.example.net.): answer: host151.example.net. IN SOA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host151.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.146",
+                "port": 54240
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#54240: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.146",
+                "port": 54240
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#54240 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.154",
+                "port": 65052
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.154#65052: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.154",
+                "port": 65052
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.154#65052 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.146",
+                "port": 56805
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#56805: query: eu-teams.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.146",
+                "port": 56805
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#56805 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.127",
+                "port": 51465
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host015.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host015",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465: query: host015.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host015.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.127",
+                "port": 51465
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.189",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host015.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.189",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.127#51465 (host015.example.net.): answer: host015.example.net. IN A (10.100.0.1) -> NOERROR 600 A 10.1.0.189 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host015.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.178",
+                "port": 51651
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "onedscolprdneu02.northeurope.cloudapp.azure.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.178#51651 (onedscolprdneu02.northeurope.cloudapp.azure.com.): answer: onedscolprdneu02.northeurope.cloudapp.azure.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "onedscolprdneu02.northeurope.cloudapp.azure.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.113",
+                "port": 50510
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "10-courier.push.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "10-courier.push",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.113#50510: query: 10-courier.push.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "10-courier.push.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.113",
+                "port": 50510
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.courier-push-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu-nw-courier-4.push-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.38",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.35",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.33",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.34",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.37",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.36",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.32",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "10-courier.push.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.courier-push-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu-nw-courier-4.push-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.38",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.35",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.33",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.34",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.37",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.36",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.32",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.113#50510 (10-courier.push.apple.com.): answer: 10-courier.push.apple.com. IN A (10.100.0.1) -> NOERROR 12363 CNAME 10.courier-push-apple.com.akadns.net. 42 CNAME eu-nw-courier-4.push-apple.com.akadns.net. 22 A 198.51.100.38 22 A 198.51.100.35 22 A 198.51.100.33 22 A 198.51.100.34 22 A 198.51.100.37 22 A 198.51.100.36 22 A 198.51.100.32 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "10-courier.push.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.74",
+                "port": 55478
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.74#55478: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.74",
+                "port": 55478
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.74#55478 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.167",
+                "port": 62016
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "dns.msftncsi.com",
+                    "registered_domain": "msftncsi.com",
+                    "subdomain": "dns",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.167#62016: query: dns.msftncsi.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.msftncsi.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.167",
+                "port": 62016
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "fd12:3456:789a::1",
+                        "type": "AAAA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "dns.msftncsi.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "fd12:3456:789a::1",
+                                "type": "AAAA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.167#62016 (dns.msftncsi.com.): answer: dns.msftncsi.com. IN AAAA (10.100.0.1) -> NOERROR 428 AAAA fd12:3456:789a::1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "dns.msftncsi.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 49664
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49664: query: turbo.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 49664
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-b01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-b01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#49664 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN A (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. 5 CNAME mr-b01.tm-azurefd.net. 28 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.127",
+                "port": 65381
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "denied"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<27>Apr 17 12:39:52 eip-dns-test01 named[38626]: client @0x22b4aaca8650 10.1.1.127#65381: update 'example.net/IN' denied"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 27
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 38626
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ]
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 62584
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "turbo",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62584: query: turbo.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 62584
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "turbo.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#62584 (turbo.microsoft.com.): answer: turbo.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 892 CNAME turbo-api-pe-e7dqbdh2bzgwg5fw.b01.azurefd.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "turbo.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55489
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55489: query: host113.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 55489
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#55489 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 62798
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62798: query: host113.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 62798
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#62798 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 52097
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097: query: host013.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 52097
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097: query: host013.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 52097
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.217",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.217",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 52097
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#52097 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 63159
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#63159: query: host113.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 63159
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.207",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.207",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#63159 (host113.example.net.): answer: host113.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.207 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 60083
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host113",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#60083: query: host113.example.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.143",
+                "port": 60083
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host113.example.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.143#60083 (host113.example.net.): answer: host113.example.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host113.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.114",
+                "port": 13540
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net",
+                    "registered_domain": "fbcdn.net",
+                    "subdomain": "4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#13540: query: 4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.175",
+                "port": 65116
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "djornz5oeyhvf.cloudfront.net",
+                    "registered_domain": "cloudfront.net",
+                    "subdomain": "djornz5oeyhvf",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#65116: query: djornz5oeyhvf.cloudfront.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "djornz5oeyhvf.cloudfront.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.65",
+                "port": 57857
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.65#57857: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.65",
+                "port": 57857
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.65#57857 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.32",
+                "port": 61185
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.32#61185: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.32",
+                "port": 61185
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.32#61185 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.146",
+                "port": 57244
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "onedscolprdfrc01.francecentral.cloudapp.azure.com",
+                    "registered_domain": "azure.com",
+                    "subdomain": "onedscolprdfrc01.francecentral.cloudapp",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#57244: query: onedscolprdfrc01.francecentral.cloudapp.azure.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "onedscolprdfrc01.francecentral.cloudapp.azure.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.146",
+                "port": 57244
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.146#57244 (onedscolprdfrc01.francecentral.cloudapp.azure.com.): answer: onedscolprdfrc01.francecentral.cloudapp.azure.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "onedscolprdfrc01.francecentral.cloudapp.azure.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 57376
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-telemetry.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#57376: query: euc-word-telemetry.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 57376
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#57376 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 56033
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-word-telemetry.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#56033: query: euc-word-telemetry.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.31",
+                "port": 56033
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.233",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-word-telemetry.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-word-telemetry.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pgteu5-word-telemetry-vip.officeapps.live.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.233",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.31#56033 (euc-word-telemetry.officeapps.live.com.): answer: euc-word-telemetry.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 5 CNAME euc-word-telemetry.wac.trafficmanager.net. 1 CNAME pgteu5-word-telemetry-vip.officeapps.live.com. 5 A 198.51.100.233 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-word-telemetry.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.8",
+                "port": 58393
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.8#58393: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.8",
+                "port": 58393
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.8#58393 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.174",
+                "port": 62207
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#62207: query: browser.events.data.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.174",
+                "port": 62207
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#62207 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.174",
+                "port": 56671
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "browser.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#56671: query: browser.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.174",
+                "port": 56671
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "browser.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "browser.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "browser.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdcus03.centralus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.174#56671 (browser.events.data.microsoft.com.): answer: browser.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 48 CNAME browser.events.data.trafficmanager.net. 47 CNAME onedscolprdcus03.centralus.cloudapp.azure.com. 5 A 198.51.100.214 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "browser.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.163",
+                "port": 64873
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.163#64873: query: substrate.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.163",
+                "port": 64873
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.163#64873 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.11 7 A 198.51.100.10 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.175",
+                "port": 65116
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "djornz5oeyhvf.cloudfront.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.175#65116 (djornz5oeyhvf.cloudfront.net.): answer: djornz5oeyhvf.cloudfront.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "djornz5oeyhvf.cloudfront.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.117",
+                "port": 49320
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "tm-sdk.platinumai.net",
+                    "registered_domain": "platinumai.net",
+                    "subdomain": "tm-sdk",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.117#49320: query: tm-sdk.platinumai.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "tm-sdk.platinumai.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.117",
+                "port": 49320
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "tm-sdk.platinumai.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.117#49320 (tm-sdk.platinumai.net.): answer: tm-sdk.platinumai.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "tm-sdk.platinumai.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.132",
+                "port": 50989
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "settings-win.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "settings-win.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.132#50989: query: settings-win.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "settings-win.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.132",
+                "port": 50989
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "atm-settingsfe-prod-geo2.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "settings-prod-weu-1.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.231",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "settings-win.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "atm-settingsfe-prod-geo2.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "settings-prod-weu-1.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.231",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.132#50989 (settings-win.data.microsoft.com.): answer: settings-win.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 454 CNAME atm-settingsfe-prod-geo2.trafficmanager.net. 1 CNAME settings-prod-weu-1.westeurope.cloudapp.azure.com. 2 A 198.51.100.231 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "settings-win.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.68",
+                "port": 55642
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "excelonline.nel.measure.office.net",
+                    "registered_domain": "office.net",
+                    "subdomain": "excelonline.nel.measure",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.68#55642: query: excelonline.nel.measure.office.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "excelonline.nel.measure.office.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.68",
+                "port": 55642
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "nel.measure.office.net.edgesuite.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "a1894.dscb.akamai.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.116",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.114",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "excelonline.nel.measure.office.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "nel.measure.office.net.edgesuite.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "a1894.dscb.akamai.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.116",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.114",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.68#55642 (excelonline.nel.measure.office.net.): answer: excelonline.nel.measure.office.net. IN A (10.100.0.1) -> NOERROR 8 CNAME nel.measure.office.net.edgesuite.net. 5049 CNAME a1894.dscb.akamai.net. 14 A 198.51.100.116 14 A 198.51.100.114 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "excelonline.nel.measure.office.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.28",
+                "port": 50745
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.hive.templafy.com",
+                    "registered_domain": "templafy.com",
+                    "subdomain": "testorg.hive",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.28#50745: query: testorg.hive.templafy.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.hive.templafy.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.28",
+                "port": 50745
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "templafyprod1.templafy.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "templafyprod1.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "backendpooltemplafyprod1-3.templafy.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.153",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.hive.templafy.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "templafyprod1.templafy.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "templafyprod1.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "backendpooltemplafyprod1-3.templafy.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.153",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.28#50745 (testorg.hive.templafy.com.): answer: testorg.hive.templafy.com. IN A (10.100.0.1) -> NOERROR 2800 CNAME templafyprod1.templafy.com. 40 CNAME templafyprod1.trafficmanager.net. 47 CNAME backendpooltemplafyprod1-3.templafy.com. 53 A 198.51.100.153 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.hive.templafy.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.173",
+                "port": 59994
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "media-ams2-1.cdn.whatsapp.net",
+                    "registered_domain": "whatsapp.net",
+                    "subdomain": "media-ams2-1.cdn",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#59994: query: media-ams2-1.cdn.whatsapp.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media-ams2-1.cdn.whatsapp.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.173",
+                "port": 59994
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "media-ams2-1.cdn.whatsapp.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#59994 (media-ams2-1.cdn.whatsapp.net.): answer: media-ams2-1.cdn.whatsapp.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media-ams2-1.cdn.whatsapp.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.173",
+                "port": 63733
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "media-ams2-1.cdn.whatsapp.net",
+                    "registered_domain": "whatsapp.net",
+                    "subdomain": "media-ams2-1.cdn",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#63733: query: media-ams2-1.cdn.whatsapp.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media-ams2-1.cdn.whatsapp.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.173",
+                "port": 63733
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.31",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "media-ams2-1.cdn.whatsapp.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.31",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.173#63733 (media-ams2-1.cdn.whatsapp.net.): answer: media-ams2-1.cdn.whatsapp.net. IN A (10.100.0.1) -> NOERROR 2211 A 198.51.100.31 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "media-ams2-1.cdn.whatsapp.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.44",
+                "port": 53603
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "teams",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#53603: query: teams.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.44",
+                "port": 53603
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "teams.office.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "teams.office.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#53603 (teams.microsoft.com.): answer: teams.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.44",
+                "port": 62020
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "teams",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#62020: query: teams.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.44",
+                "port": 62020
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "teams.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "tmc-g2.tm-4.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "teams-office-com.s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "s-0005.dual-s-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.251",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.252",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "teams.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "teams.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "tmc-g2.tm-4.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "teams-office-com.s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "s-0005.dual-s-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.251",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.252",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.44#62020 (teams.microsoft.com.): answer: teams.microsoft.com. IN A (10.100.0.1) -> NOERROR 95863 CNAME teams.office.com. 29 CNAME tmc-g2.tm-4.office.com. 22 CNAME teams-office-com.s-0005.dual-s-msedge.net. 101 CNAME s-0005.dual-s-msedge.net. 25 A 198.51.100.251 25 A 198.51.100.252 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "teams.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.158",
+                "port": 55420
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.hive.templafy.com",
+                    "registered_domain": "templafy.com",
+                    "subdomain": "testorg.hive",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.158#55420: query: testorg.hive.templafy.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.hive.templafy.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.158",
+                "port": 55420
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "templafyprod1.templafy.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "templafyprod1.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "backendpooltemplafyprod1-3.templafy.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.153",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "testorg.hive.templafy.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "templafyprod1.templafy.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "templafyprod1.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "backendpooltemplafyprod1-3.templafy.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.153",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.158#55420 (testorg.hive.templafy.com.): answer: testorg.hive.templafy.com. IN A (10.100.0.1) -> NOERROR 2800 CNAME templafyprod1.templafy.com. 40 CNAME templafyprod1.trafficmanager.net. 47 CNAME backendpooltemplafyprod1-3.templafy.com. 53 A 198.51.100.153 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "testorg.hive.templafy.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 62818
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-mobile.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#62818: query: eu-mobile.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 62818
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#62818 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 54788
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-mobile.events.data",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#54788: query: eu-mobile.events.data.microsoft.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 54788
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-mobile.events.data.microsoft.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#54788 (eu-mobile.events.data.microsoft.com.): answer: eu-mobile.events.data.microsoft.com. IN AAAA (10.100.0.1) -> NOERROR 8 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-mobile.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.114",
+                "port": 13540
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#13540 (4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net.): answer: 4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net. IN A (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "4f8e09fa-adbd-4aae-838f-eb74857a9643-netseer-ipaddr-assoc.xy.fbcdn.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.62",
+                "port": 50678
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "uploads.cdn.biorender.com",
+                    "registered_domain": "biorender.com",
+                    "subdomain": "uploads.cdn",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#50678: query: uploads.cdn.biorender.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "uploads.cdn.biorender.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.62",
+                "port": 50678
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dw09pkmvpczpb.cloudfront.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "uploads.cdn.biorender.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dw09pkmvpczpb.cloudfront.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#50678 (uploads.cdn.biorender.com.): answer: uploads.cdn.biorender.com. IN TYPE65 (10.100.0.1) -> NOERROR 10 CNAME dw09pkmvpczpb.cloudfront.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "uploads.cdn.biorender.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.62",
+                "port": 65274
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "uploads.cdn.biorender.com",
+                    "registered_domain": "biorender.com",
+                    "subdomain": "uploads.cdn",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#65274: query: uploads.cdn.biorender.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "uploads.cdn.biorender.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.41",
+                "port": 60316
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.41#60316: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.41",
+                "port": 60316
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.41#60316 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 59320
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pfr1-collabhubrtc.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "pfr1-collabhubrtc.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#59320: query: pfr1-collabhubrtc.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pfr1-collabhubrtc.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 59320
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "pfr1-collabhubrtc-split.rtc.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "pfr1-vipcollabrtc.officeapps.live.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.234",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "pfr1-collabhubrtc.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "pfr1-collabhubrtc-split.rtc.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "pfr1-vipcollabrtc.officeapps.live.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.234",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#59320 (pfr1-collabhubrtc.officeapps.live.com.): answer: pfr1-collabhubrtc.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 79 CNAME pfr1-collabhubrtc-split.rtc.trafficmanager.net. 10 CNAME pfr1-vipcollabrtc.officeapps.live.com. 182 A 198.51.100.234 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pfr1-collabhubrtc.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 60305
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pfr1-collabhubrtc.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "pfr1-collabhubrtc.officeapps",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#60305: query: pfr1-collabhubrtc.officeapps.live.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pfr1-collabhubrtc.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.100",
+                "port": 60305
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "pfr1-collabhubrtc.officeapps.live.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.100#60305 (pfr1-collabhubrtc.officeapps.live.com.): answer: pfr1-collabhubrtc.officeapps.live.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "pfr1-collabhubrtc.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.13",
+                "port": 48460
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#48460: query: host031.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.13",
+                "port": 42494
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host031",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#42494: query: host031.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.13",
+                "port": 48460
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#48460 (host031.example.net.): answer: host031.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.13",
+                "port": 42494
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.1.134",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host031.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.1.134",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.13#42494 (host031.example.net.): answer: host031.example.net. IN A (10.100.0.1) -> NOERROR 300 A 10.1.1.134 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host031.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.114",
+                "port": 60260
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#60260: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.114",
+                "port": 49973
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#49973: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.114",
+                "port": 49973
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#49973 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.114",
+                "port": 60260
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.114#60260 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.10",
+                "port": 50807
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "example.net",
+                    "registered_domain": "example.net",
+                    "top_level_domain": "net",
+                    "type": "SOA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.10#50807: query: example.net IN SOA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.10",
+                "port": 50807
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                        "type": "SOA"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "example.net.",
+                    "type": "SOA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host015.example.net. empty.empty. 1438828 3600 600 1209600 3600",
+                                "type": "SOA"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.10#50807 (example.net.): answer: example.net. IN SOA (10.100.0.1) -> NOERROR 3600 SOA host015.example.net. empty.empty. 1438828 3600 600 1209600 3600 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.130",
+                "port": 64737
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.130#64737: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.130",
+                "port": 64737
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.130#64737 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.89",
+                "port": 50723
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.89#50723: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.89",
+                "port": 50723
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.89#50723 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.73",
+                "port": 58165
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "editor.svc",
+                    "top_level_domain": "microsoft",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#58165: query: editor.svc.cloud.microsoft IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.73",
+                "port": 58165
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#58165 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.73",
+                "port": 62974
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "editor.svc",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#62974: query: editor.svc.cloud.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "172.16.2.73",
+                "port": 62974
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.49",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.49",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 172.16.2.73#62974 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. 4 CNAME prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net. 4 A 198.51.100.49 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.122",
+                "port": 51055
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "tas01.cwsapp.update.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "tas01.cwsapp.update",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.122#51055: query: tas01.cwsapp.update.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "tas01.cwsapp.update.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.122",
+                "port": 51055
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "glb.tas01.cwsapp-prod.dcat.dsp.mp.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "glb.cwsapp.prod.dcat.dsp.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.226",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "tas01.cwsapp.update.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "glb.tas01.cwsapp-prod.dcat.dsp.mp.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "glb.cwsapp.prod.dcat.dsp.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.226",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.122#51055 (tas01.cwsapp.update.microsoft.com.): answer: tas01.cwsapp.update.microsoft.com. IN A (10.100.0.1) -> NOERROR 125 CNAME glb.tas01.cwsapp-prod.dcat.dsp.mp.microsoft.com. 621 CNAME glb.cwsapp.prod.dcat.dsp.trafficmanager.net. 18 A 198.51.100.226 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "tas01.cwsapp.update.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.89",
+                "port": 55853
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.89#55853: query: eu-v20.events.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.89",
+                "port": 55853
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu-v20.events.data.microsoft.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu-v20.events.data.microsoft.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.89#55853 (eu-v20.events.endpoint.security.microsoft.com.): answer: eu-v20.events.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 162 CNAME eu-v20.events.data.microsoft.com. 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 49510
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "onedscolprdfrc01.francecentral.cloudapp.azure.com",
+                    "registered_domain": "azure.com",
+                    "subdomain": "onedscolprdfrc01.francecentral.cloudapp",
+                    "top_level_domain": "com",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#49510: query: onedscolprdfrc01.francecentral.cloudapp.azure.com IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "onedscolprdfrc01.francecentral.cloudapp.azure.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.151",
+                "port": 49510
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.151#49510 (onedscolprdfrc01.francecentral.cloudapp.azure.com.): answer: onedscolprdfrc01.francecentral.cloudapp.azure.com. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "onedscolprdfrc01.francecentral.cloudapp.azure.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.123",
+                "port": 58803
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.123#58803: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.123",
+                "port": 58803
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.123#58803 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.114",
+                "port": 41461
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host152.host152.host152.host152.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host152.host152.host152.host152",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#41461: query: host152.host152.host152.host152.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host152.host152.host152.host152.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.114",
+                "port": 41461
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host152.host152.host152.host152.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.114#41461 (host152.host152.host152.host152.example.net.): answer: host152.host152.host152.host152.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host152.host152.host152.host152.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.120",
+                "port": 52852
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.120#52852: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.120",
+                "port": 52852
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.120#52852 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.94",
+                "port": 62361
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.94#62361: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.94",
+                "port": 62361
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.94#62361 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 59427
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "www",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59427: query: www.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 59427
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.247",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.243",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.245",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.242",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.248",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.244",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.249",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.246",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "www.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.247",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.243",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.245",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.242",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.248",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.244",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.249",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.246",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#59427 (www.google.com.): answer: www.google.com. IN A (10.100.0.1) -> NOERROR 115 A 198.51.100.247 115 A 198.51.100.243 115 A 198.51.100.245 115 A 198.51.100.242 115 A 198.51.100.248 115 A 198.51.100.244 115 A 198.51.100.249 115 A 198.51.100.246 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "www.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 53826
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "apple.com",
+                    "registered_domain": "apple.com",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#53826: query: apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 53826
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.53",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.53",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#53826 (apple.com.): answer: apple.com. IN A (10.100.0.1) -> NOERROR 244 A 198.51.100.53 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.172",
+                "port": 56085
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net",
+                    "registered_domain": "windows.net",
+                    "subdomain": "enterpriseregistration",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#56085: query: enterpriseregistration.windows.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.172",
+                "port": 56085
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "na.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prdf.aadg.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.f.prd.aadg.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.214",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.212",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.213",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.150",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.215",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.152",
+                        "type": "A"
+                    },
+                    {
+                        "data": "20.190.181",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "enterpriseregistration.windows.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "na.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prdf.aadg.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.f.prd.aadg.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.214",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.212",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.213",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.150",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.215",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.152",
+                                "type": "A"
+                            },
+                            {
+                                "data": "20.190.181",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.172#56085 (enterpriseregistration.windows.net.): answer: enterpriseregistration.windows.net. IN A (10.100.0.1) -> NOERROR 1792 CNAME na.privatelink.msidentity.com. 129 CNAME prdf.aadg.msidentity.com. 21 CNAME www.tm.f.prd.aadg.akadns.net. 291 A 198.51.100.214 291 A 198.51.100.211 291 A 198.51.100.212 291 A 198.51.100.213 291 A 198.51.100.150 291 A 198.51.100.215 291 A 198.51.100.152 291 A 20.190.181"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "enterpriseregistration.windows.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.55",
+                "port": 57471
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.55#57471: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.55",
+                "port": 57471
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.55#57471 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.115",
+                "port": 30425
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gos-api.gos-gsp.io",
+                    "registered_domain": "gos-gsp.io",
+                    "subdomain": "gos-api",
+                    "top_level_domain": "io",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.115#30425: query: gos-api.gos-gsp.io IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gos-api.gos-gsp.io"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.115",
+                "port": 30425
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "gos-api-pew1.gos-gsp.io.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "gos-api-pew1-a.gos-gsp.io.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.197",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.255",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.17",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gos-api.gos-gsp.io.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "gos-api-pew1.gos-gsp.io.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "gos-api-pew1-a.gos-gsp.io.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.197",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.255",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.17",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.115#30425 (gos-api.gos-gsp.io.): answer: gos-api.gos-gsp.io. IN A (10.100.0.1) -> NOERROR 27 CNAME gos-api-pew1.gos-gsp.io. 4 CNAME gos-api-pew1-a.gos-gsp.io. 13 A 198.51.100.197 13 A 198.51.100.255 13 A 198.51.100.17 13 A 198.51.100.46 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gos-api.gos-gsp.io."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.229",
+                "port": 54956
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.229#54956: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.229",
+                "port": 54956
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.229#54956 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.121",
+                "port": 62632
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "keepalive.softether.org",
+                    "registered_domain": "softether.org",
+                    "subdomain": "keepalive",
+                    "top_level_domain": "org",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.121#62632: query: keepalive.softether.org IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "keepalive.softether.org"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.121",
+                "port": 62632
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "keepalive.softether.org.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.121#62632 (keepalive.softether.org.): answer: keepalive.softether.org. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "keepalive.softether.org."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.164",
+                "port": 60877
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ams-efz.ms-acdc.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "ams-efz.ms-acdc",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.164#60877: query: ams-efz.ms-acdc.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ams-efz.ms-acdc.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.164",
+                "port": 60877
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ams-efz.ms-acdc.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.164#60877 (ams-efz.ms-acdc.office.com.): answer: ams-efz.ms-acdc.office.com. IN A (10.100.0.1) -> NOERROR 6 A 198.51.100.218 6 A 198.51.100.11 6 A 198.51.100.10 6 A 198.51.100.6 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ams-efz.ms-acdc.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.110",
+                "port": 65215
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ws-m2m.prs.healthcare.philips.com",
+                    "registered_domain": "philips.com",
+                    "subdomain": "ws-m2m.prs.healthcare",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#65215: query: ws-m2m.prs.healthcare.philips.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ws-m2m.prs.healthcare.philips.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.110",
+                "port": 65215
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.163",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ws-m2m.prs.healthcare.philips.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.163",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#65215 (ws-m2m.prs.healthcare.philips.com.): answer: ws-m2m.prs.healthcare.philips.com. IN A (10.100.0.1) -> NOERROR 1545 A 198.51.100.163 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ws-m2m.prs.healthcare.philips.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.112",
+                "port": 59837
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#59837: query: mask.icloud.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.112",
+                "port": 59837
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#59837 (mask.icloud.com.): answer: mask.icloud.com. IN TYPE65 (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 51279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "waa-pa.clients6.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "waa-pa.clients6",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#51279: query: waa-pa.clients6.google.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "waa-pa.clients6.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 51279
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "waa-pa.clients6.google.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#51279 (waa-pa.clients6.google.com.): answer: waa-pa.clients6.google.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "waa-pa.clients6.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 49743
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "waa-pa.clients6.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "waa-pa.clients6",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#49743: query: waa-pa.clients6.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "waa-pa.clients6.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 49743
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.250",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "waa-pa.clients6.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.250",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#49743 (waa-pa.clients6.google.com.): answer: waa-pa.clients6.google.com. IN A (10.100.0.1) -> NOERROR 74 A 198.51.100.250 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "waa-pa.clients6.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.112",
+                "port": 62214
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com",
+                    "registered_domain": "icloud.com",
+                    "subdomain": "mask",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#62214: query: mask.icloud.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.112",
+                "port": 62214
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "mask.apple-dns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.42",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.41",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.45",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.46",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.43",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.44",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.40",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.47",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mask.icloud.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "mask.apple-dns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.42",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.41",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.45",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.46",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.43",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.44",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.40",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.47",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#62214 (mask.icloud.com.): answer: mask.icloud.com. IN A (10.100.0.1) -> NOERROR 9366 CNAME mask.apple-dns.net. 3 A 198.51.100.42 3 A 198.51.100.41 3 A 198.51.100.45 3 A 198.51.100.46 3 A 198.51.100.43 3 A 198.51.100.44 3 A 198.51.100.40 3 A 198.51.100.47 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.icloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 51237
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "star.c10r.facebook.com",
+                    "registered_domain": "facebook.com",
+                    "subdomain": "star.c10r",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#51237: query: star.c10r.facebook.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "star.c10r.facebook.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 51237
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "star.c10r.facebook.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#51237 (star.c10r.facebook.com.): answer: star.c10r.facebook.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "star.c10r.facebook.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 54810
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "xp.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "xp",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#54810: query: xp.apple.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.60",
+                "port": 64556
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mdav.eu.endpoint.security.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "mdav.eu.endpoint.security",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.60#64556: query: mdav.eu.endpoint.security.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mdav.eu.endpoint.security.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 54810
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "xp.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "xp.apple.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "xp.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#54810 (xp.apple.com.): answer: xp.apple.com. IN TYPE65 (10.100.0.1) -> NOERROR 2500 CNAME xp.itunes-apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.60",
+                "port": 64556
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "md-prod-simcon-atm-epp-eu.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "md-prod-simcon-ip0.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.157",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mdav.eu.endpoint.security.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "md-prod-simcon-atm-epp-eu.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "md-prod-simcon-ip0.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.157",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.60#64556 (mdav.eu.endpoint.security.microsoft.com.): answer: mdav.eu.endpoint.security.microsoft.com. IN A (10.100.0.1) -> NOERROR 106 CNAME md-prod-simcon-atm-epp-eu.trafficmanager.net. 269 CNAME md-prod-simcon-ip0.westeurope.cloudapp.azure.com. 1 A 198.51.100.157 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mdav.eu.endpoint.security.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.4",
+                "port": 60140
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-excel.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#60140: query: euc-excel.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.4",
+                "port": 60140
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-excel-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-excel-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#60140 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 49 CNAME euc-excel-geo.wac.trafficmanager.net. 55 CNAME euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 44 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.236 17 A 198.51.100.235 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.4",
+                "port": 58957
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com",
+                    "registered_domain": "live.com",
+                    "subdomain": "euc-excel.officeapps",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#58957: query: euc-excel.officeapps.live.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.4",
+                "port": 58957
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "euc-excel-geo.wac.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "wac-0003.wac-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.236",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.235",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "euc-excel.officeapps.live.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "euc-excel-geo.wac.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "wac-0003.wac-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.236",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.235",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.4#58957 (euc-excel.officeapps.live.com.): answer: euc-excel.officeapps.live.com. IN A (10.100.0.1) -> NOERROR 49 CNAME euc-excel-geo.wac.trafficmanager.net. 55 CNAME euc-excel.wac.trafficmanager.net.wac-0003.wac-dc-msedge.net.wac-0003.wac-msedge.net. 44 CNAME wac-0003.wac-msedge.net. 17 A 198.51.100.236 17 A 198.51.100.235 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "euc-excel.officeapps.live.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 52105
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ssl.gstatic.com",
+                    "registered_domain": "gstatic.com",
+                    "subdomain": "ssl",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52105: query: ssl.gstatic.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ssl.gstatic.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 52105
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ssl.gstatic.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52105 (ssl.gstatic.com.): answer: ssl.gstatic.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ssl.gstatic.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 58669
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ssl.gstatic.com",
+                    "registered_domain": "gstatic.com",
+                    "subdomain": "ssl",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#58669: query: ssl.gstatic.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ssl.gstatic.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 58669
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.165",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ssl.gstatic.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.165",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#58669 (ssl.gstatic.com.): answer: ssl.gstatic.com. IN A (10.100.0.1) -> NOERROR 4 A 198.51.100.165 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ssl.gstatic.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.110",
+                "port": 59967
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "ws-m2m.prs.healthcare.philips.com",
+                    "registered_domain": "philips.com",
+                    "subdomain": "ws-m2m.prs.healthcare",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#59967: query: ws-m2m.prs.healthcare.philips.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ws-m2m.prs.healthcare.philips.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.110",
+                "port": 59967
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.163",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "ws-m2m.prs.healthcare.philips.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.163",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.110#59967 (ws-m2m.prs.healthcare.philips.com.): answer: ws-m2m.prs.healthcare.philips.com. IN A (10.100.0.1) -> NOERROR 1545 A 198.51.100.163 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "ws-m2m.prs.healthcare.philips.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.100",
+                "port": 62713
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "outlook",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.100#62713: query: outlook.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.100",
+                "port": 62713
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "outlook.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.100#62713 (outlook.office.com.): answer: outlook.office.com. IN A (10.100.0.1) -> NOERROR 31 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.10 7 A 198.51.100.6 7 A 198.51.100.218 7 A 198.51.100.11 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "outlook.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.88",
+                "port": 59170
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "gacs-discovery.cloud.com",
+                    "registered_domain": "cloud.com",
+                    "subdomain": "gacs-discovery",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.88#59170: query: gacs-discovery.cloud.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gacs-discovery.cloud.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.63",
+                "port": 62901
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.63#62901: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.63",
+                "port": 62901
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.63#62901 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 49874
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "xp.apple.com",
+                    "registered_domain": "apple.com",
+                    "subdomain": "xp",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49874: query: xp.apple.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.apple.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 49874
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "xp.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "xp-cdn-lb.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "xp.v.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.55",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.54",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "xp.apple.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "xp.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "xp-cdn-lb.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "xp.v.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.55",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.54",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#49874 (xp.apple.com.): answer: xp.apple.com. IN A (10.100.0.1) -> NOERROR 2500 CNAME xp.itunes-apple.com.akadns.net. 77 CNAME xp-cdn-lb.itunes-apple.com.akadns.net. 25 CNAME xp.v.aaplimg.com. 11 A 198.51.100.55 11 A 198.51.100.54 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.apple.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.112",
+                "port": 51115
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net",
+                    "registered_domain": "apple-dns.net",
+                    "subdomain": "mask",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#51115: query: mask.apple-dns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.112",
+                "port": 51115
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mask.apple-dns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.112#51115 (mask.apple-dns.net.): answer: mask.apple-dns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mask.apple-dns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.38",
+                "port": 60453
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#60453: query: substrate.office.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.38",
+                "port": 60453
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#60453 (substrate.office.com.): answer: substrate.office.com. IN TYPE65 (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.38",
+                "port": 54881
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com",
+                    "registered_domain": "office.com",
+                    "subdomain": "substrate",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#54881: query: substrate.office.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.38",
+                "port": 54881
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "outlook.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "outlook.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ams-efz.ms-acdc.office.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.218",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.6",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.11",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.10",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "substrate.office.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "outlook.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "acdcatm.outlook.mira.tm.svc.cloud.microsoft.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "outlook.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ams-efz.ms-acdc.office.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.218",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.6",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.11",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.10",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.38#54881 (substrate.office.com.): answer: substrate.office.com. IN A (10.100.0.1) -> NOERROR 46 CNAME outlook.cloud.microsoft. 175 CNAME acdcatm.outlook.mira.tm.svc.cloud.microsoft. 11 CNAME outlook.ms-acdc.office.com. 13 CNAME ams-efz.ms-acdc.office.com. 7 A 198.51.100.218 7 A 198.51.100.6 7 A 198.51.100.11 7 A 198.51.100.10 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "substrate.office.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.62",
+                "port": 65274
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "dw09pkmvpczpb.cloudfront.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.93",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.95",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.92",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.94",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "uploads.cdn.biorender.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "dw09pkmvpczpb.cloudfront.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.93",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.95",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.92",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.94",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.62#65274 (uploads.cdn.biorender.com.): answer: uploads.cdn.biorender.com. IN A (10.100.0.1) -> NOERROR 10 CNAME dw09pkmvpczpb.cloudfront.net. 60 A 198.51.100.93 60 A 198.51.100.95 60 A 198.51.100.92 60 A 198.51.100.94 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "uploads.cdn.biorender.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.120",
+                "port": 62227
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "v10.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.120#62227: query: v10.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.120",
+                "port": 62227
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.154",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "v10.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "win-global-asimov-leafs-events-data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdeus11.eastus.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.154",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.120#62227 (v10.events.data.microsoft.com.): answer: v10.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 22 CNAME win-global-asimov-leafs-events-data.trafficmanager.net. 6 CNAME onedscolprdeus11.eastus.cloudapp.azure.com. 5 A 198.51.100.154 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "v10.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.88",
+                "port": 59170
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "appconfig-ffb2c4are9abh3fa.a01.azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mr-a01.tm-azurefd.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "part-0017.t-0009.fb-t-msedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.211",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "gacs-discovery.cloud.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "appconfig-ffb2c4are9abh3fa.a01.azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mr-a01.tm-azurefd.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "dual.part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "part-0017.t-0009.fb-t-msedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.211",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.88#59170 (gacs-discovery.cloud.com.): answer: gacs-discovery.cloud.com. IN A (10.100.0.1) -> NOERROR 242 CNAME appconfig-ffb2c4are9abh3fa.a01.azurefd.net. 18 CNAME mr-a01.tm-azurefd.net. 25 CNAME dual.part-0017.t-0009.fb-t-msedge.net. 37 CNAME part-0017.t-0009.fb-t-msedge.net. 35 A 198.51.100.211 35 A 198.51.100.210 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "gacs-discovery.cloud.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.160",
+                "port": 53191
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#53191: query: graph.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.160",
+                "port": 53191
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.prd.ags.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.210",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.139",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.138",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.149",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.142",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.140",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.143",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.141",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.prd.ags.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.210",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.139",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.138",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.149",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.142",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.140",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.143",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.141",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#53191 (graph.microsoft.com.): answer: graph.microsoft.com. IN A (10.100.0.1) -> NOERROR 1055 CNAME ags.privatelink.msidentity.com. 165 CNAME www.tm.prd.ags.akadns.net. 122 A 198.51.100.210 122 A 198.51.100.139 122 A 198.51.100.138 122 A 198.51.100.149 122 A 198.51.100.142 122 A 198.51.100.140 122 A 198.51.100.143 122 A 198.51.100.141 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.160",
+                "port": 50737
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "graph",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#50737: query: graph.microsoft.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.160",
+                "port": 50737
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "ags.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "graph.microsoft.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "ags.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.160#50737 (graph.microsoft.com.): answer: graph.microsoft.com. IN TYPE65 (10.100.0.1) -> NOERROR 1054 CNAME ags.privatelink.msidentity.com. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "graph.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.132",
+                "port": 53090
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.origin-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "iphone-ld.origin-apple.com",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#53090: query: iphone-ld.origin-apple.com.akadns.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.origin-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.132",
+                "port": 53090
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "iphone-ld-migration.origin-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "iphone-ld.v.aaplimg.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.54",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.57",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.origin-apple.com.akadns.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "iphone-ld-migration.origin-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "iphone-ld.v.aaplimg.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.54",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.57",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#53090 (iphone-ld.origin-apple.com.akadns.net.): answer: iphone-ld.origin-apple.com.akadns.net. IN A (10.100.0.1) -> NOERROR 292 CNAME iphone-ld-migration.origin-apple.com.akadns.net. 23 CNAME iphone-ld.v.aaplimg.com. 8 A 198.51.100.54 8 A 198.51.100.57 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.origin-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.132",
+                "port": 51249
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.origin-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "iphone-ld.origin-apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#51249: query: iphone-ld.origin-apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.origin-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.132",
+                "port": 51249
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.origin-apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#51249 (iphone-ld.origin-apple.com.akadns.net.): answer: iphone-ld.origin-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.origin-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.110",
+                "port": 64771
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "locate-europe-west-azure-1.devicetrust.com",
+                    "registered_domain": "devicetrust.com",
+                    "subdomain": "locate-europe-west-azure-1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.110#64771: query: locate-europe-west-azure-1.devicetrust.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "locate-europe-west-azure-1.devicetrust.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.110",
+                "port": 64771
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "whois-eu-west-1.azurewebsites.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "hosts.whois-eu-west-1.azurewebsites.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.134",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.135",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.132",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.207",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.133",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "locate-europe-west-azure-1.devicetrust.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "whois-eu-west-1.azurewebsites.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "hosts.whois-eu-west-1.azurewebsites.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.134",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.135",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.132",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.207",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.133",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.110#64771 (locate-europe-west-azure-1.devicetrust.com.): answer: locate-europe-west-azure-1.devicetrust.com. IN A (10.100.0.1) -> NOERROR 146 CNAME whois-eu-west-1.azurewebsites.net. 16 CNAME hosts.whois-eu-west-1.azurewebsites.net. 29 A 198.51.100.134 29 A 198.51.100.135 29 A 198.51.100.132 29 A 198.51.100.208 29 A 198.51.100.207 29 A 198.51.100.133 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "locate-europe-west-azure-1.devicetrust.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 56542
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.39.in-addr.arpa",
+                    "registered_domain": "39.in-addr.arpa",
+                    "subdomain": "198.51.100",
+                    "top_level_domain": "in-addr.arpa",
+                    "type": "PTR"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#56542: query: 198.51.100.39.in-addr.arpa IN PTR  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.39.in-addr.arpa"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 56542
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host153.host153.example.net.",
+                        "type": "PTR"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "198.51.100.39.in-addr.arpa.",
+                    "type": "PTR"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host153.host153.example.net.",
+                                "type": "PTR"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#56542 (198.51.100.39.in-addr.arpa.): answer: 198.51.100.39.in-addr.arpa. IN PTR (10.100.0.1) -> NOERROR 28800 PTR host153.host153.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "198.51.100.39.in-addr.arpa."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 57577
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host153.host153.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host153.host153",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577: query: host153.host153.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host153.host153.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 57577
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host153.host153.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host153.host153",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577: query: host153.host153.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host153.host153.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 48628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628: query: host013.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 48628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host013",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628: query: host013.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 57577
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.218",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host153.host153.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.218",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577 (host153.host153.example.net.): answer: host153.host153.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.218 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host153.host153.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.219",
+                "port": 57577
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host153.host153.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.219#57577 (host153.host153.example.net.): answer: host153.host153.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host153.host153.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 48628
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.217",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.217",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628 (host013.example.net.): answer: host013.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.217 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.20",
+                "port": 48628
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host013.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.20#48628 (host013.example.net.): answer: host013.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host013.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 64723
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "g.whatsapp.net",
+                    "registered_domain": "whatsapp.net",
+                    "subdomain": "g",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#64723: query: g.whatsapp.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "g.whatsapp.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 62816
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "xp.itunes-apple.com.akadns.net",
+                    "registered_domain": "akadns.net",
+                    "subdomain": "xp.itunes-apple.com",
+                    "top_level_domain": "net",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#62816: query: xp.itunes-apple.com.akadns.net IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.itunes-apple.com.akadns.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.172",
+                "port": 64723
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "chat.cdn.whatsapp.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.33",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "g.whatsapp.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "chat.cdn.whatsapp.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.33",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.172#64723 (g.whatsapp.net.): answer: g.whatsapp.net. IN A (10.100.0.1) -> NOERROR 299 CNAME chat.cdn.whatsapp.net. 6 A 198.51.100.33 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "g.whatsapp.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 62816
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "xp-cdn-lb.itunes-apple.com.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "xp.itunes-apple.com.akadns.net.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "xp-cdn-lb.itunes-apple.com.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#62816 (xp.itunes-apple.com.akadns.net.): answer: xp.itunes-apple.com.akadns.net. IN TYPE65 (10.100.0.1) -> NOERROR 76 CNAME xp-cdn-lb.itunes-apple.com.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.itunes-apple.com.akadns.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.141",
+                "port": 53995
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#53995: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.141",
+                "port": 53995
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#53995 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.141",
+                "port": 51396
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host001",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#51396: query: host001.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.141",
+                "port": 51396
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host001.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NXDOMAIN"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.141#51396 (host001.example.net.): answer: host001.example.net. IN A (10.100.0.1) -> NXDOMAIN "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host001.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.155",
+                "port": 60368
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "winatp-gw-weu",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.155#60368: query: winatp-gw-weu.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.155",
+                "port": 60368
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.48",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "winatp-gw-weu.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "sevillecloudgateway-weu-prd.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.48",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.155#60368 (winatp-gw-weu.microsoft.com.): answer: winatp-gw-weu.microsoft.com. IN A (10.100.0.1) -> NOERROR 340 CNAME sevillecloudgateway-weu-prd.trafficmanager.net. 37 CNAME mps-mde-prd-weu-16-service-tag.westeurope.cloudapp.azure.com. 4 A 198.51.100.48 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "winatp-gw-weu.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.42",
+                "port": 59690
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-teams.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.42#59690: query: eu-teams.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.42",
+                "port": 59690
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-teams.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.42#59690 (eu-teams.events.data.microsoft.com.): answer: eu-teams.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 9 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-teams.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 42840
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host124",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840: query: host124.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 42840
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host124",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840: query: host124.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 42840
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.238",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.238",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840 (host124.example.net.): answer: host124.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.238 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.22",
+                "port": 42840
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host124.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.22#42840 (host124.example.net.): answer: host124.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host124.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 61589
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "scontent-ams2-1.cdninstagram.com",
+                    "registered_domain": "cdninstagram.com",
+                    "subdomain": "scontent-ams2-1",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#61589: query: scontent-ams2-1.cdninstagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "scontent-ams2-1.cdninstagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 61589
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.27",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "scontent-ams2-1.cdninstagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.27",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#61589 (scontent-ams2-1.cdninstagram.com.): answer: scontent-ams2-1.cdninstagram.com. IN A (10.100.0.1) -> NOERROR 90 A 198.51.100.27 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "scontent-ams2-1.cdninstagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.132",
+                "port": 54332
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.v.aaplimg.com",
+                    "registered_domain": "aaplimg.com",
+                    "subdomain": "iphone-ld.v",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#54332: query: iphone-ld.v.aaplimg.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.v.aaplimg.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.132",
+                "port": 54332
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "iphone-ld.v.aaplimg.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.132#54332 (iphone-ld.v.aaplimg.com.): answer: iphone-ld.v.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "iphone-ld.v.aaplimg.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.17",
+                "port": 63349
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host154.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host154",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.17#63349: query: host154.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host154.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.182",
+                "port": 51869
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com",
+                    "registered_domain": "microsoftonline.com",
+                    "subdomain": "login",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#51869: query: login.microsoftonline.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.182",
+                "port": 51869
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "login.mso.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "ak.privatelink.msidentity.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.145",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.147",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.209",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.144",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.137",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.146",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.208",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.148",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "login.microsoftonline.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "login.mso.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "ak.privatelink.msidentity.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "www.tm.a.prd.aadg.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.145",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.147",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.209",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.144",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.137",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.146",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.208",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.148",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.182#51869 (login.microsoftonline.com.): answer: login.microsoftonline.com. IN A (10.100.0.1) -> NOERROR 7955 CNAME login.mso.msidentity.com. 71 CNAME ak.privatelink.msidentity.com. 41 CNAME www.tm.a.prd.aadg.trafficmanager.net. 99 A 198.51.100.145 99 A 198.51.100.147 99 A 198.51.100.209 99 A 198.51.100.144 99 A 198.51.100.137 99 A 198.51.100.146 99 A 198.51.100.208 99 A 198.51.100.148 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "login.microsoftonline.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.17",
+                "port": 63349
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host155.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.17#63349 (host155.example.net.): answer: host155.example.net. IN A (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host155.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 45557
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host132",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557: query: host132.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 45557
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "10.1.0.224",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "10.1.0.224",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557 (host132.example.net.): answer: host132.example.net. IN A (10.100.0.1) -> NOERROR 28800 A 10.1.0.224 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 45557
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host132",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557: query: host132.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.191",
+                "port": 45557
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host132.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.191#45557 (host132.example.net.): answer: host132.example.net. IN AAAA (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host132.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 59092
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "xp.v.aaplimg.com",
+                    "registered_domain": "aaplimg.com",
+                    "subdomain": "xp.v",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#59092: query: xp.v.aaplimg.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.v.aaplimg.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.141",
+                "port": 59092
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "xp.v.aaplimg.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.141#59092 (xp.v.aaplimg.com.): answer: xp.v.aaplimg.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "xp.v.aaplimg.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 52577
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "scontent-lhr6-2.cdninstagram.com",
+                    "registered_domain": "cdninstagram.com",
+                    "subdomain": "scontent-lhr6-2",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#52577: query: scontent-lhr6-2.cdninstagram.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "scontent-lhr6-2.cdninstagram.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.165",
+                "port": 52577
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.20",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "scontent-lhr6-2.cdninstagram.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.20",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.165#52577 (scontent-lhr6-2.cdninstagram.com.): answer: scontent-lhr6-2.cdninstagram.com. IN A (10.100.0.1) -> NOERROR 695 A 198.51.100.20 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "scontent-lhr6-2.cdninstagram.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.204",
+                "port": 52449
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449: query: host007.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.204",
+                "port": 52449
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host007",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449: query: host007.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.204",
+                "port": 52449
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "10.100.0.1",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "10.100.0.1",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449 (host007.example.net.): answer: host007.example.net. IN A (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. 3600 A 10.100.0.1 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.204",
+                "port": 52449
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host008.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host007.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host008.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.204#52449 (host007.example.net.): answer: host007.example.net. IN AAAA (10.100.0.1) -> NOERROR 3600 CNAME host008.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host007.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.81",
+                "port": 50648
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com",
+                    "registered_domain": "citrix.com",
+                    "subdomain": "downloadplugins",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.81#50648: query: downloadplugins.citrix.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.81",
+                "port": 50648
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "downloadplugins.citrix.com.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e8793.g.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.183",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "downloadplugins.citrix.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "downloadplugins.citrix.com.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e8793.g.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.183",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.81#50648 (downloadplugins.citrix.com.): answer: downloadplugins.citrix.com. IN A (10.100.0.1) -> NOERROR 1605 CNAME downloadplugins.citrix.com.edgekey.net. 1506 CNAME e8793.g.akamaiedge.net. 13 A 198.51.100.183 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "downloadplugins.citrix.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 61572
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mail.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "mail",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#61572: query: mail.google.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 52908
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mail.google.com",
+                    "registered_domain": "google.com",
+                    "subdomain": "mail",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52908: query: mail.google.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.google.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 52908
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "198.51.100.240",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "mail.google.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "198.51.100.240",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#52908 (mail.google.com.): answer: mail.google.com. IN A (10.100.0.1) -> NOERROR 233 A 198.51.100.240 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.190",
+                "port": 53302
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host156.host156.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host156.host156",
+                    "top_level_domain": "net",
+                    "type": "AAAA"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#53302: query: host156.host156.example.net IN AAAA  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host156.host156.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.190",
+                "port": 53302
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host157.host157.example.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host156.host156.example.net.",
+                    "type": "AAAA"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host157.host157.example.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#53302 (host156.host156.example.net.): answer: host156.host156.example.net. IN AAAA (10.100.0.1) -> NOERROR 28800 CNAME host157.host157.example.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host156.host156.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.190",
+                "port": 39280
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "host156.host156.example.net",
+                    "registered_domain": "example.net",
+                    "subdomain": "host156.host156",
+                    "top_level_domain": "net",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#39280: query: host156.host156.example.net IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host156.host156.example.net"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.190",
+                "port": 39280
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "host157.host157.example.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.189",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "host156.host156.example.net.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "host157.host157.example.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.189",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 198.51.100.190#39280 (host156.host156.example.net.): answer: host156.host156.example.net. IN A (10.100.0.1) -> NOERROR 28800 CNAME host157.host157.example.net. 28800 A 198.51.100.189 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "host156.host156.example.net."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.161",
+                "port": 55971
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "editor.svc",
+                    "top_level_domain": "microsoft",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#55971: query: editor.svc.cloud.microsoft IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.161",
+                "port": 55971
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#55971 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN TYPE65 (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.149",
+                "port": 49773
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.149#49773: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.149",
+                "port": 49773
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.149#49773 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.161",
+                "port": 62709
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft",
+                    "registered_domain": "cloud.microsoft",
+                    "subdomain": "editor.svc",
+                    "top_level_domain": "microsoft",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#62709: query: editor.svc.cloud.microsoft IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.161",
+                "port": 62709
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.49",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "editor.svc.cloud.microsoft.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod1.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.49",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.161#62709 (editor.svc.cloud.microsoft.): answer: editor.svc.cloud.microsoft. IN A (10.100.0.1) -> NOERROR 20 CNAME prod1.naturallanguageeditorservice.osi.office.net.akadns.net. 4 CNAME prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net. 4 A 198.51.100.49 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "editor.svc.cloud.microsoft."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.126",
+                "port": 52802
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "eu-v20.events.data",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.126#52802: query: eu-v20.events.data.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.126",
+                "port": 52802
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "eu.events.data.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.230",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "eu-v20.events.data.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "eu.events.data.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "onedscolprdfrc01.francecentral.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.230",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.126#52802 (eu-v20.events.data.microsoft.com.): answer: eu-v20.events.data.microsoft.com. IN A (10.100.0.1) -> NOERROR 67 CNAME eu.events.data.trafficmanager.net. 6 CNAME onedscolprdfrc01.francecentral.cloudapp.azure.com. 2 A 198.51.100.230 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "eu-v20.events.data.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 61559
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "TYPE65"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61559: query: acrobat.adobe.com IN TYPE65  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 61559
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61559 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN TYPE65 (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.112",
+                "port": 56686
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com",
+                    "registered_domain": "microsoft.com",
+                    "subdomain": "europe.smartscreen",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.112#56686: query: europe.smartscreen.microsoft.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.1.112",
+                "port": 56686
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.156",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "europe.smartscreen.microsoft.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "prod-atm-wds-e5-europe.trafficmanager.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "prod-agic-we-3.westeurope.cloudapp.azure.com.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.156",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.1.112#56686 (europe.smartscreen.microsoft.com.): answer: europe.smartscreen.microsoft.com. IN A (10.100.0.1) -> NOERROR 1193 CNAME prod-atm-wds-e5-europe.trafficmanager.net. 151 CNAME prod-agic-we-3.westeurope.cloudapp.azure.com. 3 A 198.51.100.156 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "europe.smartscreen.microsoft.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 61242
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com",
+                    "registered_domain": "adobe.com",
+                    "subdomain": "acrobat",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61242: query: acrobat.adobe.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.90",
+                "port": 61242
+            },
+            "dns": {
+                "answers": [
+                    {
+                        "data": "acrobat.adobe.com.i.edgekey.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "e29329.dsca.akamaiedge.net.",
+                        "type": "CNAME"
+                    },
+                    {
+                        "data": "198.51.100.124",
+                        "type": "A"
+                    },
+                    {
+                        "data": "198.51.100.128",
+                        "type": "A"
+                    }
+                ],
+                "question": {
+                    "class": "IN",
+                    "name": "acrobat.adobe.com.",
+                    "type": "A"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "answers": [
+                            {
+                                "data": "acrobat.adobe.com.i.edgekey.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "e29329.dsca.akamaiedge.net.",
+                                "type": "CNAME"
+                            },
+                            {
+                                "data": "198.51.100.124",
+                                "type": "A"
+                            },
+                            {
+                                "data": "198.51.100.128",
+                                "type": "A"
+                            }
+                        ],
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.90#61242 (acrobat.adobe.com.): answer: acrobat.adobe.com. IN A (10.100.0.1) -> NOERROR 124 CNAME acrobat.adobe.com.i.edgekey.net. 18179 CNAME e29329.dsca.akamaiedge.net. 20 A 198.51.100.124 20 A 198.51.100.128 "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "acrobat.adobe.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.11",
+                "port": 61572
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "mail.google.com.",
+                    "type": "TYPE65"
+                },
+                "response_code": "NOERROR"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "answer"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.11#61572 (mail.google.com.): answer: mail.google.com. IN TYPE65 (10.100.0.1) -> NOERROR "
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "mail.google.com."
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        },
+        {
+            "@timestamp": "2026-04-17T12:39:52.000Z",
+            "client": {
+                "ip": "10.1.0.130",
+                "port": 55301
+            },
+            "dns": {
+                "question": {
+                    "class": "IN",
+                    "name": "188926-ipv4fdsmte.gr.global.aa-rt.sharepoint.com",
+                    "registered_domain": "sharepoint.com",
+                    "subdomain": "188926-ipv4fdsmte.gr.global.aa-rt",
+                    "top_level_domain": "com",
+                    "type": "A"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "efficient_ip": {
+                "log": {
+                    "dns": {
+                        "category": "query"
+                    },
+                    "service_name": "named",
+                    "type": "DNS"
+                }
+            },
+            "event": {
+                "created": "2026-04-17T12:39:52.000Z",
+                "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.130#55301: query: 188926-ipv4fdsmte.gr.global.aa-rt.sharepoint.com IN A  (10.100.0.1)"
+            },
+            "host": {
+                "name": "eip-dns-test01"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 13
+                }
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "process": {
+                "pid": 7092
+            },
+            "related": {
+                "hosts": [
+                    "188926-ipv4fdsmte.gr.global.aa-rt.sharepoint.com"
+                ],
+                "ip": [
+                    "10.100.0.1"
+                ]
+            },
+            "server": {
+                "ip": "10.100.0.1"
+            }
+        }
+    ]
+}
diff --git a/packages/efficient_ip/data_stream/log/agent/stream/udp.yml.hbs b/packages/efficient_ip/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100644
index 00000000000..40a1ef99b8c
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,33 @@
+host: {{listen_address}}:{{listen_port}}
+{{#if max_message_size}}
+max_message_size: {{max_message_size}}
+{{/if}}
+{{#if timeout}}
+timeout: {{timeout}}
+{{/if}}
+{{#if keep_null}}
+keep_null: {{keep_null}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag|}}
+- {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+- preserve_original_event
+{{/if}}
+{{else}}
+{{#if preserve_original_event}}
+tags:
+- preserve_original_event
+{{/if}}
+{{/if}}
+
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..e4e79e5c2de
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,235 @@
+---
+description: Pipeline for parsing EfficientIP DDI logs.
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+      if: ctx.event?.original == null
+  - set:
+      field: ecs.version
+      value: '8.11.0'
+  - grok:
+      field: event.original
+      patterns:
+        - "^<%{NUMBER:log.syslog.priority:long}>(?:%{SYSLOGTIMESTAMP:event.created}|%{TIMESTAMP_ISO8601:event.created})\\s+%{DATA:host.name}\\s+%{DATA:efficient_ip.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$"
+        - "^<%{NUMBER:log.syslog.priority:long}>(?:%{SYSLOGTIMESTAMP:event.created}|%{TIMESTAMP_ISO8601:event.created})\\s+%{DATA:host.name}\\s+%{GREEDYDATA:message}$"
+        - "^%{GREEDYDATA:message}$"
+  - rename:
+      field: _conf.tz_offset
+      target_field: event.timezone
+      if: ctx._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'
+      ignore_missing: true
+      ignore_failure: true
+  - date:
+      field: event.created
+      tag: date_event_created_tz
+      timezone: '{{{event.timezone}}}'
+      if: ctx.event?.timezone != null && ctx.event.created != null
+      target_field: event.created
+      formats:
+        - MMM  d HH:mm:ss
+        - MMM dd HH:mm:ss
+        - MMM d HH:mm:ss
+        - dd-MMM-yyyy HH:mm:ss.SSS
+        - ISO8601
+      on_failure:
+        - remove:
+            field: event.created
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - date:
+      field: event.created
+      tag: date_event_created_notz
+      if: ctx.event?.timezone == null && ctx.event?.created != null
+      target_field: event.created
+      formats:
+        - MMM  d HH:mm:ss
+        - MMM dd HH:mm:ss
+        - MMM d HH:mm:ss
+        - dd-MMM-yyyy HH:mm:ss.SSS
+        - ISO8601
+      on_failure:
+        - remove:
+            field: event.created
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - set:
+      field: efficient_ip.log.type
+      value: 'DHCP'
+      if: ctx.efficient_ip?.log?.service_name == 'dhcpd' || ctx.efficient_ip?.log?.service_name == 'dhcpdv6'
+  - set:
+      field: efficient_ip.log.type
+      value: 'DNS'
+      if: ctx.efficient_ip?.log?.service_name == 'named'
+  - set:
+      field: efficient_ip.log.type
+      value: 'AUDIT'
+      if: ctx.efficient_ip?.log?.service_name == 'httpd'
+  - pipeline:
+      name: '{{ IngestPipeline "pipeline_dhcp" }}'
+      if: ctx.efficient_ip?.log?.type == 'DHCP'
+  - pipeline:
+      name: '{{ IngestPipeline "pipeline_dns" }}'
+      if: ctx.efficient_ip?.log?.type == 'DNS'
+  # Since logstash sets the @timestamp if not present, `override: true` is required to overwrite the value with event timestamp.
+  - set:
+      field: '@timestamp'
+      copy_from: event.created
+      if: ctx.event?.created != null
+      override: true
+  # If individual pipelines has timestamp, they should take priority. This makes @timestamp < event.created conforming to ECS.
+  - set:
+      field: '@timestamp'
+      copy_from: _tmp.timestamp
+      if: ctx._tmp?.timestamp != null
+      override: true
+  - convert:
+      field: _tmp.host.ip
+      if: ctx._tmp?.host?.ip != null && ctx._tmp.host.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: _tmp.host.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{_tmp.host.ip}}}'
+      if: ctx._tmp?.host?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      field: _tmp.ip
+      if: ctx._tmp?.ip != null && ctx._tmp.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: _tmp.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{_tmp.ip}}}'
+      if: ctx._tmp?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: '{{{host.domain}}}'
+      if: ctx.host?.domain != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: '{{{_tmp.host.ip}}}'
+      if: ctx._tmp?.host?.ip != null
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: '{{{_tmp.ip}}}'
+      if: ctx._tmp?.ip != null
+      ignore_failure: true
+  - lowercase:
+      field: event.action
+      if: ctx.event?.action != null
+      ignore_failure: true
+  - geoip:
+      field: "client.ip"
+      target_field: "client.geo"
+      if: ctx.client?.geo == null && ctx.client?.ip != null
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: client.ip
+      target_field: client.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+      if: ctx.client?.ip != null
+  - rename:
+      field: client.as.asn
+      target_field: client.as.number
+      ignore_missing: true
+      if: ctx.client?.as?.asn != null
+  - rename:
+      field: client.as.organization_name
+      target_field: client.as.organization.name
+      ignore_missing: true
+      if: ctx.client?.as?.organization_name != null
+  - dissect:
+      field: network.transport
+      pattern: "view %{}: %{network.transport}"
+      if: ctx.network?.transport instanceof String && ctx.network.transport.contains('view')
+  - lowercase:
+      field: network.transport
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively.
+      lang: painless
+      source: |
+        boolean drop(Object o) {
+          if (o == null || o == '') {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+  - remove:
+      field: message
+      ignore_missing: true
+      if: ctx.event?.original != null      
+  - remove:
+      field:
+        - _conf
+        - _tmp
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+        failed with message '{{{ _ingest.on_failure_message }}}'
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
\ No newline at end of file
diff --git a/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml b/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml
new file mode 100644
index 00000000000..0b082e8a942
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml
@@ -0,0 +1,339 @@
+---
+description: Pipeline for parsing EfficientIP DHCP logs.
+processors:
+  - set:
+      field: network.protocol
+      value: dhcp
+  - grok:
+      tag: grok_DHCPDISCOVER_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPDISCOVER')
+      patterns:
+        - '^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: network %{DATA:efficient_ip.log.dhcp.network}: %{GREEDYDATA:efficient_ip.log.dhcp.discover.message}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPOFFER_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPOFFER')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:efficient_ip.log.dhcp.offered.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:efficient_ip.log.dhcp.offered.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:efficient_ip.log.dhcp.offered.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:efficient_ip.log.dhcp.lease.duration:long}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPREQUEST_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPREQUEST')
+      patterns:
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid}: %{GREEDYDATA:efficient_ip.log.dhcp.request.message}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{DATA:efficient_ip.log.dhcp.uid} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.request.message}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.request.message}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} \(%{IP:efficient_ip.log.dhcp.router.ip}\) from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name})$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPACK_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPACK')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{DATA:efficient_ip.log.dhcp.lease.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} (?:\(%{DATA:efficient_ip.log.dhcp.client_hostname}\) )?via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} offered-duration %{NUMBER:efficient_ip.log.dhcp.offered.duration:long} \(%{DATA:efficient_ip.log.dhcp.message}\)$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{DATA:efficient_ip.log.dhcp.lease.message}\) uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{DATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} \(%{GREEDYDATA:efficient_ip.log.dhcp.lease.message}\)$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:efficient_ip.log.dhcp.lease.duration:long}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:efficient_ip.log.dhcp.lease.duration:long} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) relay (%{IP:efficient_ip.log.dhcp.relay.interface.ip}|%{WORD:efficient_ip.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:efficient_ip.log.dhcp.lease.duration:long}$'
+        - '^%{WORD:event.action} to %{IP:client.ip} \(%{MAC:client.mac}\) via %{WORD:observer.ingress.interface.name}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_RELEASE_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('RELEASE')
+      patterns:
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} \(%{DATA:efficient_ip.log.dhcp.client_hostname}\) via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) \(%{DATA:efficient_ip.log.dhcp.release.info}\) TransID %{DATA:efficient_ip.log.dhcp.trans_id} uid %{GREEDYDATA:efficient_ip.log.dhcp.uid}$'
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) \(%{DATA:efficient_ip.log.dhcp.release.info}\) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPEXPIRE_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPEXPIRE')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{GREEDYDATA:client.mac}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPINFORM_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPINFORM')
+      patterns:
+        - '^%{WORD:event.action} from %{IP:client.ip} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.inform.message}$'
+        - '^%{WORD:event.action} from %{IP:client.ip} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPDECLINE_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPDECLINE')
+      patterns:
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}) TransID %{DATA:efficient_ip.log.dhcp.trans_id}: %{GREEDYDATA:efficient_ip.log.dhcp.decline.message}$'
+        - '^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name}): %{GREEDYDATA:efficient_ip.log.dhcp.decline.message}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPNAK_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPNAK')
+      patterns:
+        - '^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:efficient_ip.log.dhcp.interface.ip}|%{WORD:observer.ingress.interface.name})$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_DHCPLEASEQUERY_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('DHCPLEASEQUERY')
+      patterns:
+        - '^%{WORD:event.action} from %{IP:client.ip}: %{GREEDYDATA:efficient_ip.log.dhcp.lease_query.message}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_REFUSED_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('REFUSED')
+      patterns:
+        - '^%{REVERSE_UPDATE:event.action} for %{IP:client.ip} abandoned because of non-retryable failure: %{DATA:event.outcome}$'
+        - '^Unable to %{ADD_FORWARD:event.action} from %{DATA:efficient_ip.log.dhcp.forward_name} to %{IP:efficient_ip.log.dhcp.ip} by server %{IP:server.ip}#%{NUMBER:server.port:long}: %{DATA:event.outcome}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+      pattern_definitions:
+        ADD_FORWARD: (?i:add forward map)
+        REVERSE_UPDATE: (?i:reverse map update)
+  - gsub:
+      field: event.action
+      pattern: ' '
+      replacement: '_'
+      if: ctx.event?.outcome?.equalsIgnoreCase('refused') == true
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx.event?.outcome?.equalsIgnoreCase('refused') == true
+  - grok:
+      tag: grok_Encapsulated_Solicit_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Encapsulated Solicit')
+      patterns:
+        - '^%{DATA:event.action} message from %{IP:client.ip} port %{NUMBER:client.port:long} from client DUID %{GREEDYDATA:efficient_ip.log.dhcp.duid}, transaction ID %{GREEDYDATA:efficient_ip.log.dhcp.trans_id}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Advertise_NA_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Advertise NA')
+      patterns:
+        - '^%{DATA:event.action}: address %{IP:client.ip} to client with duid %{GREEDYDATA:efficient_ip.log.dhcp.duid} iaid = -%{GREEDYDATA:efficient_ip.log.dhcp.iaid} valid for %{NUMBER:efficient_ip.log.dhcp.validation_second:long} seconds$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Relay_forward_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Relay-forward')
+      patterns:
+        - '^%{DATA:event.action} message from %{IP:client.ip} port %{NUMBER:client.port:long}, link address %{IP:efficient_ip.log.dhcp.link_address}, peer address %{IP:efficient_ip.log.dhcp.peer_address}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Encapsulating_Advertise_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Encapsulating Advertise')
+      patterns:
+        - '^%{DATA:event.action} message to send to %{IP:client.ip} port %{NUMBER:client.port:long}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_Sending_Relay_reply_message
+      field: message
+      if: ctx.message != null && ctx.message.contains('Sending Relay-reply')
+      patterns:
+        - '^%{DATA:event.action} message to %{IP:client.ip} port %{NUMBER:client.port:long}$'
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - grok:
+      tag: grok_fallback_message
+      field: message
+      if: ctx.message != null && ctx.event?.action == null
+      patterns:
+        - '^%{GREEDYDATA:efficient_ip.log.dhcp.message}$'
+  - lowercase:
+      field: event.action
+      ignore_failure: true
+      ignore_missing: true
+  - gsub:
+      field: client.mac
+      ignore_missing: true
+      pattern: '[-:.]'
+      replacement: '-'
+  - uppercase:
+      field: client.mac
+      ignore_missing: true
+  - convert:
+      tag: convert_client_ip
+      field: client.ip
+      if: ctx.client?.ip != null && ctx.client.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: client.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{client.ip}}}'
+      if: ctx.client?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_link_address
+      field: efficient_ip.log.dhcp.link_address
+      if: ctx.efficient_ip?.log?.dhcp?.link_address != null && ctx.efficient_ip.log.dhcp.link_address != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.link_address
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.link_address}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.link_address != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_peer_address
+      field: efficient_ip.log.dhcp.peer_address
+      if: ctx.efficient_ip?.log?.dhcp?.peer_address != null && ctx.efficient_ip.log.dhcp.peer_address != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.peer_address
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.peer_address}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.peer_address != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_router_ip
+      field: efficient_ip.log.dhcp.router.ip
+      if: ctx.efficient_ip?.log?.dhcp?.router?.ip != null && ctx.efficient_ip.log.dhcp.router.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.router.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.router.ip}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.router?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_interface_ip
+      field: efficient_ip.log.dhcp.interface.ip
+      if: ctx.efficient_ip?.log?.dhcp?.interface?.ip != null && ctx.efficient_ip.log.dhcp.interface.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.interface.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.interface.ip}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.interface?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      tag: convert_dhcp_relay_interface_ip
+      field: efficient_ip.log.dhcp.relay.interface.ip
+      if: ctx.efficient_ip?.log?.dhcp?.relay?.interface?.ip != null && ctx.efficient_ip.log.dhcp.relay.interface.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: efficient_ip.log.dhcp.relay.interface.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{efficient_ip.log.dhcp.relay.interface.ip}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.relay?.interface?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: '{{{efficient_ip.log.dhcp.client_hostname}}}'
+      if: ctx.efficient_ip?.log?.dhcp?.client_hostname != null
+      allow_duplicates: false
+      ignore_failure: true
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: >-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+        failed with message '{{{ _ingest.on_failure_message }}}'
\ No newline at end of file
diff --git a/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml b/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml
new file mode 100644
index 00000000000..282e00f64cd
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml
@@ -0,0 +1,169 @@
+---
+description: Pipeline for parsing EfficientIP DNS logs.
+processors:
+  - set:
+      field: network.protocol
+      value: dns
+  - grok:
+      field: message
+      patterns:
+        - "%{CLIENT}\\s*\\(%{GREEDYDATA}.\\)\\:\\s*%{NOTSPACE:efficient_ip.log.dns.category}\\: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} \\(%{IP:server.ip}\\) -> %{WORD:dns.response_code}(\\s+%{GREEDYDATA:dns_answers_data})?"
+        - "%{CLIENT}\\s+(\\(%{GREEDYDATA}.\\))?\\s*%{NOTSPACE:efficient_ip.log.dns.category}\\: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type}\\s+\\(%{IP:server.ip}\\)$"
+        - "%{CLIENT}\\s+update '%{DATA:dns.question.name}/%{WORD:dns.question.class}' %{GREEDYDATA:efficient_ip.log.dns.category}"
+      pattern_definitions:
+        CLIENT: 'client (?:%{DATA} )?%{IP:client.ip}#%{NUMBER:client.port:long}:?'
+        VIEW: 'view %{DATA:efficient_ip.log.view}: '
+  - date:
+      field: _tmp.timestamp
+      target_field: _tmp.timestamp
+      if: ctx._tmp?.timestamp != null && ctx.event?.timezone != null
+      tag: date_tmp_timestamp_tz
+      timezone: '{{{event.timezone}}}'
+      formats:
+        - dd-MMM-yyyy HH:mm:ss.SSS
+        - yyyy-MM-dd HH:mm:ss.SSS'Z'
+      on_failure:
+        - remove:
+            field: _tmp.timestamp
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - date:
+      field: _tmp.timestamp
+      target_field: _tmp.timestamp
+      tag: date_tmp_timestamp_notz
+      if: ctx._tmp?.timestamp != null && ctx.event?.timezone == null
+      formats:
+        - dd-MMM-yyyy HH:mm:ss.SSS
+        - yyyy-MM-dd HH:mm:ss.SSS'Z'
+      on_failure:
+        - remove:
+            field: _tmp.timestamp
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - script:
+      lang: painless
+      if: "ctx.dns_answers_data != null && ctx.dns_answers_data != ''"
+      description: "Parse DNS answer records"
+      source: |
+        def answers = new ArrayList();
+        def text = ctx.dns_answers_data.trim();
+        def validTypes = new HashSet(['A','AAAA','CNAME','SOA','SRV','PTR','MX','NS','TXT']);
+        // Split by spaces and walk tokens to find TTL TYPE boundaries
+        def tokens = text.splitOnToken(' ');
+        int i = 0;
+        while (i < tokens.length - 1) {
+          def tok = tokens[i];
+          // Skip empty tokens from multiple spaces
+          if (tok.length() == 0) { i++; continue; }
+          // Check if token is a number (TTL) followed by a valid type
+          boolean isNum = true;
+          for (int c = 0; c < tok.length(); c++) {
+            if (!Character.isDigit(tok.charAt(c))) { isNum = false; break; }
+          }
+          if (!isNum) { i++; continue; }
+          // Find next non-empty token
+          int j = i + 1;
+          while (j < tokens.length && tokens[j].length() == 0) { j++; }
+          if (j >= tokens.length) break;
+          def typeStr = tokens[j];
+          boolean isType = validTypes.contains(typeStr) || (typeStr.length() > 4 && typeStr.substring(0, 4).equals('TYPE'));
+          if (!isType) { i++; continue; }
+          // Collect data tokens until next TTL+TYPE pair or end
+          int dataStart = j + 1;
+          int dataEnd = dataStart;
+          while (dataEnd < tokens.length) {
+            def dt = tokens[dataEnd];
+            if (dt.length() == 0) { dataEnd++; continue; }
+            boolean dtIsNum = true;
+            for (int c = 0; c < dt.length(); c++) {
+              if (!Character.isDigit(dt.charAt(c))) { dtIsNum = false; break; }
+            }
+            if (dtIsNum && dataEnd + 1 < tokens.length) {
+              int k = dataEnd + 1;
+              while (k < tokens.length && tokens[k].length() == 0) { k++; }
+              if (k < tokens.length) {
+                def nt = tokens[k];
+                if (validTypes.contains(nt) || (nt.length() > 4 && nt.substring(0, 4).equals('TYPE'))) {
+                  break;
+                }
+              }
+            }
+            dataEnd++;
+          }
+          def dataParts = new ArrayList();
+          for (int d = dataStart; d < dataEnd; d++) {
+            if (tokens[d].length() > 0) dataParts.add(tokens[d]);
+          }
+          def answer = new HashMap();
+          answer.put('type', typeStr);
+          answer.put('data', String.join(' ', dataParts));
+          answers.add(answer);
+          i = dataEnd;
+        }
+        if (ctx.dns == null) {
+          ctx.dns = new HashMap();
+        }
+        ctx.dns.put('answers', answers);
+        if (ctx.efficient_ip?.log?.dns == null) {
+          if (ctx.efficient_ip == null) ctx.efficient_ip = new HashMap();
+          if (ctx.efficient_ip.log == null) ctx.efficient_ip.put('log', new HashMap());
+          if (ctx.efficient_ip.log.dns == null) ctx.efficient_ip.log.put('dns', new HashMap());
+        }
+        ctx.efficient_ip.log.dns.put('answers', answers);
+        ctx.remove('dns_answers_data');
+  - convert:
+      field: server.ip
+      if: ctx.server?.ip != null && ctx.server.ip != ''
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: server.ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: related.ip
+      value: '{{{server.ip}}}'
+      if: ctx.server?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: '{{{dns.question.name}}}'
+      if: ctx.dns?.question?.name != null
+      allow_duplicates: false
+      ignore_failure: true
+  - registered_domain:
+      field: "dns.question.name"
+      target_field: "dns.question"
+      if: ctx.dns?.question != null
+  - remove:
+      field:
+        - repeat_message
+        - dns.question.domain
+      ignore_missing: true
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: >-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
\ No newline at end of file
diff --git a/packages/efficient_ip/data_stream/log/fields/base-fields.yml b/packages/efficient_ip/data_stream/log/fields/base-fields.yml
new file mode 100644
index 00000000000..7c798f4534c
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/efficient_ip/data_stream/log/fields/fields.yml b/packages/efficient_ip/data_stream/log/fields/fields.yml
new file mode 100644
index 00000000000..a7cd550f46a
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/fields/fields.yml
@@ -0,0 +1,145 @@
+- name: efficient_ip.log
+  type: group
+  fields:
+    - name: dhcp
+      type: group
+      fields:
+        - name: client_hostname
+          type: keyword
+        - name: decline
+          type: group
+          fields:
+            - name: message
+              type: keyword
+        - name: duid
+          type: keyword
+        - name: discover
+          type: group
+          fields:
+            - name: message
+              type: keyword
+        - name: iaid
+          type: keyword
+        - name: inform
+          type: group
+          fields:
+            - name: message
+              type: keyword
+        - name: interface
+          type: group
+          fields:
+            - name: ip
+              type: ip
+        - name: ip
+          type: ip
+        - name: forward_name
+          type: keyword
+        - name: lease
+          type: group
+          fields:
+            - name: duration
+              type: long
+            - name: message
+              type: keyword
+        - name: lease_query
+          type: group
+          fields:
+            - name: message
+              type: keyword
+        - name: link_address
+          type: keyword
+        - name: message
+          type: text
+        - name: network
+          type: keyword
+        - name: offered
+          type: group
+          fields:
+            - name: duration
+              type: long
+        - name: peer_address
+          type: keyword
+        - name: relay
+          type: group
+          fields:
+            - name: interface
+              type: group
+              fields:
+                - name: ip
+                  type: ip
+                - name: name
+                  type: keyword
+        - name: release
+          type: group
+          fields:
+            - name: info
+              type: keyword
+        - name: request
+          type: group
+          fields:
+            - name: message
+              type: keyword
+        - name: router
+          type: group
+          fields:
+            - name: ip
+              type: ip
+        - name: trans_id
+          type: keyword
+        - name: uid
+          type: keyword
+        - name: validation_second
+          type: long
+    - name: service_name
+      type: keyword
+    - name: type
+      type: keyword
+    - name: view
+      type: keyword
+    - name: dns
+      type: group
+      fields:
+        - name: after_query
+          type: text
+        - name: answers_policy
+          type: text
+        - name: before_query
+          type: text
+        - name: category
+          type: text
+        - name: failed_message
+          type: text
+        - name: message
+          type: text
+        - name: view_name
+          type: text
+        - name: version
+          type: text
+        - name: header_flags
+          type: keyword
+        - name: rpz
+          type: group
+          fields:
+            - name: action
+              type: keyword
+            - name: domain
+              type: keyword
+            - name: domain_rewrite
+              type: keyword
+            - name: query_class
+              type: keyword
+            - name: query_class_rewrite
+              type: keyword
+            - name: rule_type
+              type: keyword
+            - name: type
+              type: keyword
+        - name: answers
+          type: group
+          fields:
+            - name: ancount
+              type: long
+            - name: type
+              type: keyword
+            - name: data
+              type: keyword
diff --git a/packages/efficient_ip/data_stream/log/manifest.yml b/packages/efficient_ip/data_stream/log/manifest.yml
new file mode 100644
index 00000000000..7409a05942c
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/manifest.yml
@@ -0,0 +1,43 @@
+title: "EfficientIP Logging"
+type: logs
+streams:
+  - input: udp
+    title: "logs via UDP"
+    description: |-
+      Collect EfficientIP logs via UDP
+    template_path: udp.yml.hbs
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - efficientip-log
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: tz_offset
+        type: text
+        title: Timezone Offset
+        multi: false
+        required: true
+        show_user: true
+        default: local
+        description: >-
+          By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT.
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/efficient_ip/data_stream/log/sample_event.json b/packages/efficient_ip/data_stream/log/sample_event.json
new file mode 100644
index 00000000000..03a0729c923
--- /dev/null
+++ b/packages/efficient_ip/data_stream/log/sample_event.json
@@ -0,0 +1,53 @@
+{
+    "@timestamp": "2026-02-25T10:14:26.000Z",
+    "client": {
+        "ip": "10.10.10.10",
+        "port": 58860
+    },
+    "dns": {
+        "question": {
+            "class": "IN",
+            "name": "test.foo.bar.",
+            "type": "A"
+        },
+        "response_code": "NXDOMAIN"
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "efficient_ip": {
+        "log": {
+            "dns": {
+                "category": "answer"
+            },
+            "service_name": "named",
+            "type": "DNS"
+        }
+    },
+    "event": {
+        "created": "2026-02-25T10:14:26.000Z",
+        "original": "<13>Feb 25 10:14:26 named[52927]: client 10.10.10.10#58860 (test.foo.bar.): answer: test.foo.bar. IN A (10.0.0.1) -> NXDOMAIN"
+    },
+    "log": {
+        "syslog": {
+            "priority": 13
+        }
+    },
+    "network": {
+        "protocol": "dns"
+    },
+    "process": {
+        "pid": 52927
+    },
+    "related": {
+        "hosts": [
+            "test.foo.bar."
+        ],
+        "ip": [
+            "10.0.0.1"
+        ]
+    },
+    "server": {
+        "ip": "10.0.0.1"
+    }
+}
\ No newline at end of file
diff --git a/packages/efficient_ip/docs/README.md b/packages/efficient_ip/docs/README.md
new file mode 100644
index 00000000000..eed6ed8959a
--- /dev/null
+++ b/packages/efficient_ip/docs/README.md
@@ -0,0 +1,81 @@
+<!-- NOTICE: Do not edit this file manually.-->
+<!-- This file is automatically generated by Elastic Package -->
+
+# EfficientIP Integration for Elastic
+
+The EfficientIP integration collects and parses data from [EfficientIP](https://efficientip.com/) DDI (DNS, DHCP, and IPAM) solutions, enabling centralized monitoring and analysis of network infrastructure events within Elastic.
+
+## Overview
+
+The EfficientIP integration for Elastic enables collection of event logs from DNS, DHCP and IPAM. This integration enables the
+following use cases:
+- DNS query monitoring and threat detection
+- DHCP lease management and IP address tracking
+- IPAM auditing and infrastructure compliance
+- Network anomaly identification and security investigations
+
+### Compatibility
+
+This integration is tested with EfficientIP version 8.4.7e
+
+## What data does this integration collect?
+
+This integration collects the following data types from EfficientIP DDI solutions:
+
+- **DNS Events**: Query logs, response codes, and DNS transactions
+- **DHCP Events**: Lease assignments, renewals, releases, and IP address allocations
+- **IPAM Events**: Address space changes, subnet modifications, and infrastructure audits
+
+All events are forwarded via syslog and processed through Elastic ingest pipelines for analysis and visualization within the Elastic Stack.
+
+
+## What do I need to use this integration?
+
+Minimum requierment Elastic stack 9.0.x and EfficientIP version 8.4.7e
+
+
+## Deployment methods
+This integration supports the following deployment methods:
+
+**Syslog-based**: EfficientIP nodes forward events to a syslog destination where Elastic Agent collects and processes the data.
+
+To configure syslog forwarding on an EfficientIP node:
+
+1. Access the EfficientIP administration interface
+2. Navigate to **System Settings** > **Logging** or **Event Forwarding**
+3. Select **Syslog** as the destination type
+4. Enter the syslog receiver host IP address and port
+6. Verify the connection and enable syslog forwarding
+7. Configure Elastic Agent to listen on the syslog port and ingest the forwarded events
+
+Refer to the EfficientIP documentation for your version for detailed configuration steps specific to your deployment.
+
+### Agent-based deployment
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Inputs used
+
+These inputs can be used with this integration:
+<details>
+<summary>udp</summary>
+
+## Setup
+
+For more details about the UDP input settings, check the [Filebeat documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-udp).
+
+### Collecting logs from UDP
+
+To collect logs via UDP, select **Collect logs via UDP** and configure the following parameters:
+
+**Required Settings:**
+- Host
+- Port
+
+**Common Optional Settings:**
+- Max Message Size - Maximum size of UDP packets to accept (default: 10KB, max: 64KB)
+- Read Buffer - UDP socket read buffer size for handling bursts of messages
+- Read Timeout - How long to wait for incoming packets before checking for shutdown
+</details>
+
diff --git a/packages/efficient_ip/img/EIP-Logo.svg b/packages/efficient_ip/img/EIP-Logo.svg
new file mode 100644
index 00000000000..23ddd7902e3
--- /dev/null
+++ b/packages/efficient_ip/img/EIP-Logo.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" id="Calque_2" data-name="Calque 2" viewBox="0 0 176.54 30.51">
+  <defs>
+    <style>.cls-1{fill:#09f;}.cls-2{fill:#fff;}</style>
+  </defs>
+  <path class="cls-1" d="M8.66,20h5.5a4.17,4.17,0,0,1,4.13,4.2v5.61A4.17,4.17,0,0,1,14.16,34H8.66a4.17,4.17,0,0,1-4.13-4.2V24.17A4.17,4.17,0,0,1,8.66,20" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-1" d="M8.66,3.47h5.5a4.17,4.17,0,0,1,4.13,4.21v5.6a4.17,4.17,0,0,1-4.13,4.21H8.66a4.17,4.17,0,0,1-4.13-4.21V7.68A4.17,4.17,0,0,1,8.66,3.47" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-1" d="M24.84,20h5.51a4.16,4.16,0,0,1,4.12,4.2v5.61A4.16,4.16,0,0,1,30.35,34H24.84a4.16,4.16,0,0,1-4.12-4.2V24.17A4.16,4.16,0,0,1,24.84,20" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M54.88,25.78l4,.61a6,6,0,0,1-2.46,3.05,7.79,7.79,0,0,1-4.2,1c-2.66,0-4.63-.78-5.91-2.36a7.34,7.34,0,0,1-1.52-4.76,7.21,7.21,0,0,1,2-5.38,6.91,6.91,0,0,1,5-1.95,7.18,7.18,0,0,1,5.4,2q2,2,1.88,6.24H49a3.5,3.5,0,0,0,1,2.53,3.27,3.27,0,0,0,2.34.91,2.66,2.66,0,0,0,1.6-.47,2.87,2.87,0,0,0,1-1.51m.23-3.7a3.29,3.29,0,0,0-.91-2.41,3.12,3.12,0,0,0-4.29,0,3.13,3.13,0,0,0-.85,2.36Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M74.58,14a1.79,1.79,0,0,1,1.26-.37,8.84,8.84,0,0,1,1.86.21l.55-2.55a12.55,12.55,0,0,0-3.39-.47,6.3,6.3,0,0,0-2.79.54,3.13,3.13,0,0,0-1.52,1.4,6.38,6.38,0,0,0-.41,2.61v1H65.66v-1A2,2,0,0,1,66,14a1.82,1.82,0,0,1,1.26-.37,8.86,8.86,0,0,1,1.87.21l.54-2.55a12.44,12.44,0,0,0-3.39-.47,6.29,6.29,0,0,0-2.78.54A3.13,3.13,0,0,0,62,12.71a6.38,6.38,0,0,0-.41,2.61v1H59.36v2.87h2.25v11h4V19.23h4.48v11h4V19.23h3V16.36h-3v-1A2,2,0,0,1,74.58,14Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M78.2,11.1h4v3.38h-4Zm0,5.26h4V30.18h-4Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M98.45,20.44l-4,.65a2.52,2.52,0,0,0-.92-1.62,2.91,2.91,0,0,0-1.85-.55,3.2,3.2,0,0,0-2.41.94,4.52,4.52,0,0,0-.9,3.16,5.21,5.21,0,0,0,.91,3.48,3.17,3.17,0,0,0,2.46,1,2.94,2.94,0,0,0,1.89-.59,3.45,3.45,0,0,0,1-2l4,.61a6.23,6.23,0,0,1-2.38,3.74,7.92,7.92,0,0,1-4.71,1.26,7.42,7.42,0,0,1-5.35-1.91,7,7,0,0,1-2-5.3,7,7,0,0,1,2-5.33A7.56,7.56,0,0,1,91.63,16a8,8,0,0,1,4.45,1.09,6,6,0,0,1,2.37,3.31" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M100.22,11.1h4v3.38h-4Zm0,5.26h4V30.18h-4Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M116,25.78l4,.61a6,6,0,0,1-2.46,3.05,7.79,7.79,0,0,1-4.2,1c-2.66,0-4.63-.78-5.91-2.36a7.34,7.34,0,0,1-1.52-4.76,7.21,7.21,0,0,1,2-5.38A6.91,6.91,0,0,1,113,16a7.18,7.18,0,0,1,5.4,2q2,2,1.88,6.24H110.1a3.42,3.42,0,0,0,1,2.53,3.23,3.23,0,0,0,2.33.91,2.68,2.68,0,0,0,1.6-.47,2.87,2.87,0,0,0,1-1.51m.23-3.7a3.29,3.29,0,0,0-.91-2.41,3.12,3.12,0,0,0-4.29,0,3.13,3.13,0,0,0-.85,2.36Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M136.17,30.18h-4V23.12a10,10,0,0,0-.26-2.89,2,2,0,0,0-.84-1,2.56,2.56,0,0,0-1.41-.37,3.58,3.58,0,0,0-1.89.52,2.68,2.68,0,0,0-1.14,1.38,10.78,10.78,0,0,0-.31,3.18v6.26h-4V16.36H126v2A6.36,6.36,0,0,1,131,16a6.73,6.73,0,0,1,2.46.44,4.14,4.14,0,0,1,1.67,1.11,3.92,3.92,0,0,1,.8,1.54,10.3,10.3,0,0,1,.22,2.46Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M146,16.36v2.91h-2.77v5.57a12.76,12.76,0,0,0,.08,2,.83.83,0,0,0,.36.47,1.27,1.27,0,0,0,.69.18,5.89,5.89,0,0,0,1.63-.35l.34,2.83a8.7,8.7,0,0,1-3.2.55,5.54,5.54,0,0,1-2-.33,2.83,2.83,0,0,1-1.29-.86,3.07,3.07,0,0,1-.57-1.43,15.47,15.47,0,0,1-.13-2.57v-6h-1.86V16.36h1.86V13.61l4.06-2.13v4.88Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M154.42,11.1h4v3.38h-4Zm0,5.26h4V30.18h-4Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M160.86,30.18V11.1h6.85a26.64,26.64,0,0,1,5.08.29A5.42,5.42,0,0,1,177.05,17a5.63,5.63,0,0,1-.71,3,5.39,5.39,0,0,1-1.79,1.88,6.52,6.52,0,0,1-2.21.91,27.34,27.34,0,0,1-4.43.27h-2.78v7.2Zm4.27-15.85v5.41h2.34a12.14,12.14,0,0,0,3.37-.3,2.72,2.72,0,0,0,1.33-.94,2.39,2.39,0,0,0,.49-1.48A2.34,2.34,0,0,0,172,15.3a3.08,3.08,0,0,0-1.72-.84,22.13,22.13,0,0,0-3.07-.13Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M181.07,9.12a2.67,2.67,0,0,1-5.33,0,2.7,2.7,0,0,1,2.68-2.67,2.52,2.52,0,0,1,1.87.79A2.57,2.57,0,0,1,181.07,9.12Zm-.48,0A2.18,2.18,0,0,0,180,7.53a2.05,2.05,0,0,0-1.53-.66,2.1,2.1,0,0,0-1.56.66,2.22,2.22,0,0,0-.64,1.58,2.2,2.2,0,0,0,.65,1.59,2.13,2.13,0,0,0,3.08,0A2.19,2.19,0,0,0,180.59,9.11Zm-.84,1.54h-.69l-.5-1.24h-.74v1.24h-.66V7.58h1.43a1.27,1.27,0,0,1,.87.25.82.82,0,0,1,.29.66.83.83,0,0,1-.57.81Zm-1.93-1.73h.68c.38,0,.57-.15.57-.44s-.17-.42-.52-.42h-.73Z" transform="translate(-4.53 -3.47)"></path>
+</svg>
diff --git a/packages/efficient_ip/img/EIP-Logo_BlueGrey.svg b/packages/efficient_ip/img/EIP-Logo_BlueGrey.svg
new file mode 100644
index 00000000000..f163b40e557
--- /dev/null
+++ b/packages/efficient_ip/img/EIP-Logo_BlueGrey.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" id="Calque_2" data-name="Calque 2" viewBox="0 0 176.54 30.51">
+  <defs>
+    <style>.cls-1{fill:#09f;}.cls-2{fill:#424242;}</style>
+  </defs>
+  <path class="cls-1" d="M8.66,20h5.5a4.17,4.17,0,0,1,4.13,4.2v5.61A4.17,4.17,0,0,1,14.16,34H8.66a4.17,4.17,0,0,1-4.13-4.2V24.17A4.17,4.17,0,0,1,8.66,20" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-1" d="M8.66,3.47h5.5a4.17,4.17,0,0,1,4.13,4.21v5.6a4.17,4.17,0,0,1-4.13,4.21H8.66a4.17,4.17,0,0,1-4.13-4.21V7.68A4.17,4.17,0,0,1,8.66,3.47" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-1" d="M24.84,20h5.51a4.16,4.16,0,0,1,4.12,4.2v5.61A4.16,4.16,0,0,1,30.35,34H24.84a4.16,4.16,0,0,1-4.12-4.2V24.17A4.16,4.16,0,0,1,24.84,20" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M54.88,25.78l4,.61a6,6,0,0,1-2.46,3.05,7.79,7.79,0,0,1-4.2,1c-2.66,0-4.63-.78-5.91-2.36a7.34,7.34,0,0,1-1.52-4.76,7.21,7.21,0,0,1,2-5.38,6.91,6.91,0,0,1,5-1.95,7.18,7.18,0,0,1,5.4,2q2,2,1.88,6.24H49a3.5,3.5,0,0,0,1,2.53,3.27,3.27,0,0,0,2.34.91,2.66,2.66,0,0,0,1.6-.47,2.87,2.87,0,0,0,1-1.51m.23-3.7a3.29,3.29,0,0,0-.91-2.41,3.12,3.12,0,0,0-4.29,0,3.13,3.13,0,0,0-.85,2.36Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M74.58,14a1.79,1.79,0,0,1,1.26-.37,8.84,8.84,0,0,1,1.86.21l.55-2.55a12.55,12.55,0,0,0-3.39-.47,6.3,6.3,0,0,0-2.79.54,3.13,3.13,0,0,0-1.52,1.4,6.38,6.38,0,0,0-.41,2.61v1H65.66v-1A2,2,0,0,1,66,14a1.82,1.82,0,0,1,1.26-.37,8.86,8.86,0,0,1,1.87.21l.54-2.55a12.44,12.44,0,0,0-3.39-.47,6.29,6.29,0,0,0-2.78.54A3.13,3.13,0,0,0,62,12.71a6.38,6.38,0,0,0-.41,2.61v1H59.36v2.87h2.25v11h4V19.23h4.48v11h4V19.23h3V16.36h-3v-1A2,2,0,0,1,74.58,14Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M78.2,11.1h4v3.38h-4Zm0,5.26h4V30.18h-4Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M98.45,20.44l-4,.65a2.52,2.52,0,0,0-.92-1.62,2.91,2.91,0,0,0-1.85-.55,3.2,3.2,0,0,0-2.41.94,4.52,4.52,0,0,0-.9,3.16,5.21,5.21,0,0,0,.91,3.48,3.17,3.17,0,0,0,2.46,1,2.94,2.94,0,0,0,1.89-.59,3.45,3.45,0,0,0,1-2l4,.61a6.23,6.23,0,0,1-2.38,3.74,7.92,7.92,0,0,1-4.71,1.26,7.42,7.42,0,0,1-5.35-1.91,7,7,0,0,1-2-5.3,7,7,0,0,1,2-5.33A7.56,7.56,0,0,1,91.63,16a8,8,0,0,1,4.45,1.09,6,6,0,0,1,2.37,3.31" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M100.22,11.1h4v3.38h-4Zm0,5.26h4V30.18h-4Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M116,25.78l4,.61a6,6,0,0,1-2.46,3.05,7.79,7.79,0,0,1-4.2,1c-2.66,0-4.63-.78-5.91-2.36a7.34,7.34,0,0,1-1.52-4.76,7.21,7.21,0,0,1,2-5.38A6.91,6.91,0,0,1,113,16a7.18,7.18,0,0,1,5.4,2q2,2,1.88,6.24H110.1a3.42,3.42,0,0,0,1,2.53,3.23,3.23,0,0,0,2.33.91,2.68,2.68,0,0,0,1.6-.47,2.87,2.87,0,0,0,1-1.51m.23-3.7a3.29,3.29,0,0,0-.91-2.41,3.12,3.12,0,0,0-4.29,0,3.13,3.13,0,0,0-.85,2.36Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M136.17,30.18h-4V23.12a10,10,0,0,0-.26-2.89,2,2,0,0,0-.84-1,2.56,2.56,0,0,0-1.41-.37,3.58,3.58,0,0,0-1.89.52,2.68,2.68,0,0,0-1.14,1.38,10.78,10.78,0,0,0-.31,3.18v6.26h-4V16.36H126v2A6.36,6.36,0,0,1,131,16a6.73,6.73,0,0,1,2.46.44,4.14,4.14,0,0,1,1.67,1.11,3.92,3.92,0,0,1,.8,1.54,10.3,10.3,0,0,1,.22,2.46Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M146,16.36v2.91h-2.77v5.57a12.76,12.76,0,0,0,.08,2,.83.83,0,0,0,.36.47,1.27,1.27,0,0,0,.69.18,5.89,5.89,0,0,0,1.63-.35l.34,2.83a8.7,8.7,0,0,1-3.2.55,5.54,5.54,0,0,1-2-.33,2.83,2.83,0,0,1-1.29-.86,3.07,3.07,0,0,1-.57-1.43,15.47,15.47,0,0,1-.13-2.57v-6h-1.86V16.36h1.86V13.61l4.06-2.13v4.88Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M154.42,11.1h4v3.38h-4Zm0,5.26h4V30.18h-4Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M160.86,30.18V11.1h6.85a26.64,26.64,0,0,1,5.08.29A5.42,5.42,0,0,1,177.05,17a5.63,5.63,0,0,1-.71,3,5.39,5.39,0,0,1-1.79,1.88,6.52,6.52,0,0,1-2.21.91,27.34,27.34,0,0,1-4.43.27h-2.78v7.2Zm4.27-15.85v5.41h2.34a12.14,12.14,0,0,0,3.37-.3,2.72,2.72,0,0,0,1.33-.94,2.39,2.39,0,0,0,.49-1.48A2.34,2.34,0,0,0,172,15.3a3.08,3.08,0,0,0-1.72-.84,22.13,22.13,0,0,0-3.07-.13Z" transform="translate(-4.53 -3.47)"></path>
+  <path class="cls-2" d="M181.07,9.12a2.67,2.67,0,0,1-5.33,0,2.7,2.7,0,0,1,2.68-2.67,2.52,2.52,0,0,1,1.87.79A2.57,2.57,0,0,1,181.07,9.12Zm-.48,0A2.18,2.18,0,0,0,180,7.53a2.05,2.05,0,0,0-1.53-.66,2.1,2.1,0,0,0-1.56.66,2.22,2.22,0,0,0-.64,1.58,2.2,2.2,0,0,0,.65,1.59,2.13,2.13,0,0,0,3.08,0A2.19,2.19,0,0,0,180.59,9.11Zm-.84,1.54h-.69l-.5-1.24h-.74v1.24h-.66V7.58h1.43a1.27,1.27,0,0,1,.87.25.82.82,0,0,1,.29.66.83.83,0,0,1-.57.81Zm-1.93-1.73h.68c.38,0,.57-.15.57-.44s-.17-.42-.52-.42h-.73Z" transform="translate(-4.53 -3.47)"></path>
+</svg>
diff --git a/packages/efficient_ip/img/sample-logo.svg b/packages/efficient_ip/img/sample-logo.svg
new file mode 100644
index 00000000000..6268dd88f3b
--- /dev/null
+++ b/packages/efficient_ip/img/sample-logo.svg
@@ -0,0 +1 @@
+<svg width="32" height="32" fill="none" viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg" class="euiIcon euiIcon--xxLarge" focusable="false" role="img" aria-hidden="true"><path fill="#FFF" d="M32 16.77a6.334 6.334 0 00-1.14-3.641 6.298 6.298 0 00-3.02-2.32 9.098 9.098 0 00-.873-5.965A9.05 9.05 0 0022.56.746a9.007 9.007 0 00-5.994-.419 9.037 9.037 0 00-4.93 3.446 4.789 4.789 0 00-5.78-.07A4.833 4.833 0 004.198 9.26a6.384 6.384 0 00-3.035 2.33A6.42 6.42 0 000 15.242 6.341 6.341 0 001.145 18.9a6.305 6.305 0 003.039 2.321 9.334 9.334 0 00-.16 1.725 9.067 9.067 0 001.727 5.333 9.014 9.014 0 004.526 3.287 8.982 8.982 0 005.587-.023 9.016 9.016 0 004.5-3.322 4.789 4.789 0 005.77.074 4.833 4.833 0 001.672-5.542 6.383 6.383 0 003.032-2.331A6.419 6.419 0 0032 16.77z"></path><path fill="#FEC514" d="M12.58 13.787l7.002 3.211 7.066-6.213a7.854 7.854 0 00.152-1.557 7.944 7.944 0 00-1.54-4.704 7.897 7.897 0 00-4.02-2.869 7.87 7.87 0 00-4.932.086 7.9 7.9 0 00-3.92 3.007l-1.174 6.118 1.367 2.92z"></path><path fill="#00BFB3" d="M5.333 21.228A7.964 7.964 0 006.72 27.53a7.918 7.918 0 004.04 2.874 7.89 7.89 0 004.95-.097 7.921 7.921 0 003.926-3.03l1.166-6.102-1.555-2.985-7.03-3.211-6.885 6.248z"></path><path fill="#F04E98" d="M5.288 9.067l4.8 1.137L11.14 4.73a3.785 3.785 0 00-4.538-.023A3.82 3.82 0 005.29 9.065"></path><path fill="#1BA9F5" d="M4.872 10.214a5.294 5.294 0 00-2.595 1.882 5.324 5.324 0 00-.142 6.124 5.287 5.287 0 002.505 2l6.733-6.101-1.235-2.65-5.266-1.255z"></path><path fill="#93C90E" d="M20.873 27.277a3.737 3.737 0 002.285.785 3.783 3.783 0 003.101-1.63 3.813 3.813 0 00.451-3.484l-4.8-1.125-1.037 5.454z"></path><path fill="#07C" d="M21.848 20.563l5.28 1.238a5.34 5.34 0 002.622-1.938 5.37 5.37 0 001.013-3.106 5.312 5.312 0 00-.936-3.01 5.283 5.283 0 00-2.475-1.944l-6.904 6.07 1.4 2.69z"></path></svg>
\ No newline at end of file
diff --git a/packages/efficient_ip/img/sample-screenshot.png b/packages/efficient_ip/img/sample-screenshot.png
new file mode 100644
index 00000000000..d7a56a3ecc0
Binary files /dev/null and b/packages/efficient_ip/img/sample-screenshot.png differ
diff --git a/packages/efficient_ip/manifest.yml b/packages/efficient_ip/manifest.yml
new file mode 100644
index 00000000000..89abaef5b39
--- /dev/null
+++ b/packages/efficient_ip/manifest.yml
@@ -0,0 +1,56 @@
+format_version: 3.5.7
+name: efficient_ip
+title: "EfficientIP DDI Logging"
+version: 0.0.1
+source:
+  license: "Elastic-2.0"
+description: "EfficientIP DDI integration for DNS and DHCP log ingestion"
+type: integration
+categories:
+  - custom
+  - network
+  - monitoring
+  - security
+conditions:
+  kibana:
+    version: "^9.2.0"
+  elastic:
+    subscription: "basic"
+screenshots:
+  - src: /img/sample-screenshot.png
+    title: Sample screenshot
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/EIP-Logo_BlueGrey.svg
+    title: EIP Logo
+    size: 96x96
+    type: image/svg+xml
+policy_templates:
+  - name: EfficientIP
+    title: EfficientIP DDI logs
+    description: Collect EfficientIP DDI logs.
+    inputs:
+      - type: udp
+        vars:
+          - name: listen_address
+            type: text
+            title: Listen Address
+            description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.
+            multi: false
+            required: true
+            show_user: true
+            default: localhost
+          - name: listen_port
+            type: integer
+            title: Listen Port
+            description: The UDP port number to listen on.
+            multi: false
+            required: true
+            show_user: true
+            default: 9028
+        title: Collect logs from EfficientIP DDI via UDP input
+        description: Collecting syslog from EfficientIP DDI via UDP input.
+owner:
+  github: elastic/integrations
+  type: community
diff --git a/packages/efficient_ip/sample_event.json b/packages/efficient_ip/sample_event.json
new file mode 100644
index 00000000000..0cda45e75c0
--- /dev/null
+++ b/packages/efficient_ip/sample_event.json
@@ -0,0 +1,58 @@
+{
+    "@timestamp": "2026-04-17T12:39:52.000Z",
+    "client": {
+        "ip": "10.1.0.42",
+        "port": 56474
+    },
+    "dns": {
+        "question": {
+            "class": "IN",
+            "name": "euc-common.online.office.com",
+            "registered_domain": "office.com",
+            "subdomain": "euc-common.online",
+            "top_level_domain": "com",
+            "type": "A"
+        }
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "efficient_ip": {
+        "log": {
+            "dns": {
+                "category": "query"
+            },
+            "service_name": "named",
+            "type": "DNS"
+        }
+    },
+    "event": {
+        "created": "2026-04-17T12:39:52.000Z",
+        "original": "<13>Apr 17 12:39:52 eip-dns-test01 named[7092]: client 10.1.0.42#56474: query: euc-common.online.office.com IN A  (10.100.0.1)"
+    },
+    "host": {
+        "name": "eip-dns-test01"
+    },
+    "log": {
+        "syslog": {
+            "priority": 13
+        }
+    },
+    "network": {
+        "protocol": "dns"
+    },
+    "process": {
+        "pid": 7092
+    },
+    "related": {
+        "hosts": [
+            "euc-common.online.office.com"
+        ],
+        "ip": [
+            "10.100.0.1"
+        ]
+    },
+    "server": {
+        "ip": "10.100.0.1"
+    }
+}
\ No newline at end of file