Having issues sending BIND logs to SIEM

Kernels & Hardware, configuring network, installing services

Having issues sending BIND logs to SIEM

Postby deltatux » 2016-06-01 19:09

Hi everyone!

I'm trying to set up a DNS sinkhole using BIND and Debian to capture malicious DNS queries so we can stop it in its tracks before it can communicate with the malicious servers. I have successfully got the sinkhole working and it works beautifully but I need to be able to capture all of its DNS queries and send it to our QRadar SIEM.

QRadar supports receiving BIND logs via syslog and so I set up rsyslog to become the client to send the query logs over to QRadar for processing. However, when setting it up, it doesn't seem to want to send the logs to the SIEM. I attempted to log locally and it worked flawlessly, leading me to believe that this issue stems from the rsyslog client on the Debian box instead. I also thought there was an issue with QRadar not picking up logs being sent via syslog but other log sources are properly logging into the SIEM using that method.

Logging options in BIND:
Code: Select all
logging {


      channel default_syslog {
            // Send most of the named messages to syslog.
            file "/var/log/named.log";
            severity debug;
      };

      channel audit_log {
            // Send the security related messages to a separate file.
            file "/var/log/named.audit.log";
            severity debug;
            print-time yes;
      };

      channel query_log {
            // Send the security related messages to a separate file.
            syslog local3;
            severity info;
            print-time yes;
            print-severity yes;
            print-category yes;
      };

      category default { default_syslog; };
      category general { default_syslog; };
      category security { audit_log; default_syslog; };
      category config { default_syslog; };
      category resolver { audit_log; };
      category xfer-in { audit_log; };
      category xfer-out { audit_log; };
      category notify { audit_log; };
      category client { audit_log; };
      category network { audit_log; };
      category update { audit_log; };
      category queries { query_log; };
      category lame-servers { audit_log; };


};


rsyslog.conf:
Code: Select all
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Logging for INN news system.
#
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

# Logging BIND to QRadar
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
local3.* @172.16.0.138:514
# ### end of the forwarding rule ###


I just wanted to see if anyone can assist me in pinning down the issue and see how I can resolve this. Any assistance is greatly appreciated, thanks!

Cheers,
deltatux
deltatux
 
Posts: 1
Joined: 2016-06-01 17:40

Return to System configuration

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable