BIND dns with Beats

Gomeisa · September 6, 2020, 4:06am

Hi,
I want to use elastic siem for my DNS server logs,
we are using a BIND DNS server, I don't want to install Packetbeat/Filebeat on the DNS server machine. we use syslog-ng to redirect DNS server logs to UDP port 514.

This is how my logs look like: (I get these result using nc -luv 514)

    <13>Sep  6 08:17:39 ns BIND-DNS: 08:17:39.181 resolver: debug 1: createfetch: telemetry.dropbox.com A
    <13>Sep  6 08:17:39 ns BIND-DNS: 08:17:39.283 database: debug 1: decrement_reference: delete from rbt: 0x7f38645f44e0 g.live.com
    <13>Sep  6 08:17:39 ns BIND-DNS: 08:17:39.294 resolver: debug 1: createfetch: telemetry.v.dropbox.com A
    <13>Sep  6 08:17:33 ns BIND-DNS: 08:17:35.173 queries: info: client 192.168.30.114#51723 (www.google.com): query: www.google.com IN A + (192.168.100.35)

I'm really confused and I don't have any idea what should I use, packetbeat (dns module)? filebeat dns/udp/syslog? I have tried with packetbeat and filebeat but I can't get it to work
can someone please point me in the right direction?

warkolm · September 6, 2020, 11:50pm

And where do they go from there?

Gomeisa · September 8, 2020, 4:25am

syslog-ng redirect logs to my elasticsearch server.
the sample logs were received on the elastic server.

warkolm · September 8, 2020, 4:27am

It goes directly to Elasticsearch from syslog-ng?
What do Beats have to do with things then?

Gomeisa · September 8, 2020, 4:45am

Sorry, I think I explained badly, I meant it goes to the host that running my Elasticsearch. if I listen on port 514 I can see the logs, But now I need beats to send them to elasticsearch.

warkolm · September 8, 2020, 4:50am

Ok, did you look at https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-syslog.html?

Gomeisa · September 8, 2020, 4:59am

Yes, I have tested syslog with UDP 514 but it didn't work.
It seems like it couldn't parse the data, or my data wasn't the expected format.
I know I can use processor for parsing, but I was looking for some preconfigured module that can detect DNS data (maybe like packetbeat dns config)

warkolm · September 8, 2020, 5:09am

Ah ok, that's a bit clearer now

There's not at the moment, but it shouldn't be too hard to parse with an ingest pipeline. Can you share part of the raw log?

Gomeisa · September 8, 2020, 5:14am

Thanks for being so patient

Gomeisa:

    <13>Sep  6 08:17:39 ns BIND-DNS: 08:17:39.181 resolver: debug 1: createfetch: telemetry.dropbox.com A
    <13>Sep  6 08:17:39 ns BIND-DNS: 08:17:39.283 database: debug 1: decrement_reference: delete from rbt: 0x7f38645f44e0 g.live.com
    <13>Sep  6 08:17:39 ns BIND-DNS: 08:17:39.294 resolver: debug 1: createfetch: telemetry.v.dropbox.com A
    <13>Sep  6 08:17:33 ns BIND-DNS: 08:17:35.173 queries: info: client 192.168.30.114#51723 (www.google.com): query: www.google.com IN A + (192.168.100.35)

this is how my raw logs look like.

warkolm · September 8, 2020, 5:20am

No worries, I forgot you posted that originally!

I'll check out a possible pattern and circle back around on this/

Gomeisa · September 8, 2020, 5:22am

Thank you, I greatly appreciate it

warkolm · September 17, 2020, 12:22am

I ran into a bug with this, which held things up.

<%{NUMBER:number}> %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{WORD:word} %{WORD:word2}-%{WORD:word3}: %{GREEDYDATA:data} is a pattern that works with what you have provided.

system · October 15, 2020, 2:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.