ISC Bind9

ISC Bind9 is an open source software that allows you to publish your DNS events. Read more about Bind on their website: https://www.isc.org/downloads/bind/

Before You Begin

In order to capture data in InsightIDR from this event source, you must configure ISC Bind9 to send all query logs to syslog, and then forward them to the InsightIDR Collector; read about how to do so on the Syslog Logging page.

You can configure ISC Bind9 to forward syslog by reading the directions in their logging recommendations here: https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html.

Configuring Linux

You must first enable and configure Linux to send logs

To configure logging on Linux configurations using RHEL7/OEL7/Centos7:

  1. Navigate to the location where you installed ISC Bind9.
  2. Using an SSH-Telnet Terminal emulator, enter the command cat /ect/named.conf to edit the file named.conf
  3. Add the following channel to the logging{} block section:
1
channel queries_log {
2
syslog local4;
3
print-time yes;
4
print-category yes;
5
print-severity yes;
6
severity debug;
7
};
8
9
category queries { queries_log; };

Note that syslog local4 is the local facility that you are designating for syslog.

When you have completed, the logging{} section should look like this:

1
logging {
2
channel default_debug {
3
file "data/named.run";
4
severity dynamic;
5
};
6
7
channel queries_log {
8
syslog local4;
9
print-time yes;
10
print-category yes;
11
print-severity yes;
12
severity debug;
13
};
14
15
category queries { queries_log; };
16
17
};
  1. Restart the named service by entering the command: # systemctl restart named. This will stop, restart, and reload the configuration file. Note that # indicates that you are the administrator or root user.
  2. Next, configure your local syslog daemon to send logs to your Collector. To do that, enter the following command vi rsyslog.conf. Open the file in a text editor (such as Vim).
  3. Then go to the bottom of the file and find remote host is. Here, add in the IP address and host of your collector.
  1. Save your file.
  2. Finally, restart the rsyslog service with the following command: # systemctl restart rsyslog

Expected Format

The Insight platform will process logs from this event source in the following format:

java
1
<30>Apr 12 11:57:50 mydnsserver-03 named[32176]: 12-Apr-2018 11:57:50.373 client 10.1.1.101#24360 (ssl.gstatic.com): query: ssl.gstatic.com IN A + (10.2.1.22)

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the DNS icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure inactivity timeout threshold in minutes.
  8. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.