ISC Bind9

ISC Bind9 is an open source software that allows you to publish your DNS events. Read more about Bind on their website: https://www.isc.org/downloads/bind/

Before You Begin

In order to capture data in InsightIDR from this event source, you must configure ISC Bind9 to send all query logs to syslog, and then forward them to the InsightIDR Collector. Read about how to do so on the Syslog Logging page.

You can configure ISC Bind9 to forward syslog by reading the directions in their logging recommendations here: https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html.

Configuring Linux

You must first enable and configure Linux to send logs

To configure logging on Linux configurations using RHEL7/OEL7/Centos7:

  1. Navigate to the location where you installed ISC Bind9.
  2. Using an SSH-Telnet Terminal emulator, enter the command cat /etc/named.conf to edit the file named.conf
  3. Add the following channel to the logging{} block section:
1
channel queries_log {
2
syslog local4;
3
print-time yes;
4
print-category yes;
5
print-severity yes;
6
severity debug;
7
};
8
9
category queries { queries_log; };

Note that syslog local4 is the local facility that you are designating for syslog.

When you have completed, the logging{} section should look like this:

1
logging {
2
channel default_debug {
3
file "data/named.run";
4
severity dynamic;
5
};
6
7
channel queries_log {
8
syslog local4;
9
print-time yes;
10
print-category yes;
11
print-severity yes;
12
severity debug;
13
};
14
15
category queries { queries_log; };
16
17
};
  1. Restart the named service by entering the command: # systemctl restart named. This will stop, restart, and reload the configuration file. Note that # indicates that you are the administrator or root user.
  2. Next, configure your local syslog daemon to send logs to your Collector. To do that, enter the following command vi rsyslog.conf. Open the file in a text editor (such as Vim).
  3. Then go to the bottom of the file and find remote host is. Here, add in the IP address and host of your collector.
  1. Save your file.
  2. Finally, restart the rsyslog service with the following command: # systemctl restart rsyslog

Expected Format

The Insight platform will process logs from this event source in the following format:

java
1
<30>Apr 12 11:57:50 mydnsserver-03 named[32176]: 12-Apr-2018 11:57:50.373 client 10.1.1.101#24360 (ssl.gstatic.com): query: ssl.gstatic.com IN A + (10.2.1.22)

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for ISC Bind9 in the event sources search bar.
    • In the Product Type filter, select DNS.
  3. Select the ISC Bind9 event source tile.
  4. Choose your collector. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally, choose to send unparsed logs.
  7. Configure the inactivity timeout threshold in minutes.
  8. Select a collection method and specify a port and a protocol.
    • Optionally, choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.