yeah. so you want to send dns debug logs to splunk so you can figure out who is
checking out redpepper. that's a hot site!
well. you can really forward them to any syslog server using the below, but splunk is my syslog
aggregator of choice. plus it uses nice fonts and has pretty graphs and runs on ubuntu.
follow the instructions here:
http://stratumsecurity.com/2012/07/03/splunk-security/
Your DNS logs will undoubledly go here:
C:\WINDOWS\system32\dns
And no worries about your logs rotating or any sillines, the max byte size is default 500M; after that the
log resets itself.
...
if you're using splunk free, like me, you'll eventually figure out that you cannot use the splunk forwarder
to forward to your splunk server. you'll try to enable splunktcp:9997 in inputs.conf on your splunk server.
but the daemon won't listen. you'll try another port only to be met with frustration.
you might even try forwarding to syslog, but you'll see:
_linebreaker\x00\x00"
that means that data is raw splunk data.
http://answers.splunk.com/answers/10346/splunk-is-adding-weird-strings-like-linebreaker-x00-x00-to-my-events-what-is-going-on.html
that's a super raw deal. but, you're smart and motivated and everyone at work knows you're plain
awesome. yeah. right.
so, your awesome self uses this:
http://www.syslogserver.com/syslogagent.html
the datagram syslog agent is fairly straightforward.
* udp transport, syslog server and port (conf'd for splunk)
* check enable forwarding of appl logs.
* edit application
- application name: dns debug
- specific file (static): C:\WINDOWS\system32\dns\dns.log
- syslog protocol conformity:
- parse date/time
- parse host
- use name "dns debug"
...
head to your splunk console and check for
"dns debug"
Jan 12 14:11:58 dns.server Jan 12 14:12:03 valeriano dns debug[info] 20150112 8D58 PACKET 0229A720
UDP Rcv 10.10.10.10 6ea9 Q [0001 D NOERROR] A (4)redpepper(0)
here's looking at you 10.10.10.10.
Monday, January 12, 2015
ms dns debug logs to splunk
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment