Graylog Illuminate is available for use with Graylog Enterprise and Graylog Security Graylog Security. Contact sales to learn more about obtaining Illuminate.

Hint: This content pack was first released in Illuminate v3.2.0.

Berkeley Internet Name Domain (BIND) is a popular DNS server. It is currently in version 9 as of this publication. BIND is an open-source system free to download and use.

This technology pack will process BIND 9 DNS query logs and error logs, providing normalization and enrichment of those events.

Supported Version

  • BIND 9.18.1

Log Format Example

2023-02-23T21:31:02.205Z queries: info: client @0x7f9bac008aa8 127.0.0.1#57316 (notadomainatall.org): query: notadomainatall.org IN A +E(0)K (127.0.0.1)

2023-02-23T18:27:56.834Z query-errors: info: client @0x7f9ba802c7f8 127.0.0.1#40232 (asldkjfals.topnet): query failed (REFUSED) for asldkjfals.topnet/IN/A at query.c:5590

Requirements

  • Install BIND DNS.

    • You can find information on how to install BIND DNS in their documentation. Please refer to your vendor for specific instructions on downloading BIND based on your operating system.

  • The Illuminate BIND DNS pack requires the following log channel settings for all BIND DNS logs being sent to Graylog:

Copy
  - print-category yes;

  - print-severity yes;
  • Configure Filebeat to send BIND logs to Graylog server beats input.

Filebeat Setup

Filebeat is a lightweight log shipper that can be used to send logs from a Windows server to a remote logging system like Graylog. Follow the order below to install and connect Filebeat to your Graylog instance:

1. Install Filebeat

Download and install Filebeat for Windows from elastic.co. Choose the required version and download the ZIP file. Follow the installation instructions for filebeat.

2. Create An Input Page in Graylog

  1. Create a Beats input under System/Inputs in Graylog with the desired port number.

  2. Name and save the input. Make sure input status is running.

  3. Configure Filebeat to collect BIND logs. Edit the Filebeat configuration file (filebeat.yml) to specify the location of the BIND logs and any other desired settings. In this file, you'll also need to specify the Graylog output for Filebeat to send the logs to.

    1. In our case below under “paths,” we added this line to retrieve all the files in the folder: C:\Windows\System32\BIND\*

    2. The “ fields” portion is mandatory as this is the field that Graylog will focus on to direct the logs into the correct stream.

We have provided a sample filebeat.yml file that will send your logs from your BIND server to Graylog, allowing for them to be fully imported and parsed. The following yaml file shows the minimum required sections for a yml file running BIND. You may choose to add to the file, but both sections (inputs and output) need to be present.

Copy
# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so

# you can use different inputs for various configurations.

# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.

- type: filestream



  # Unique ID among all inputs, an ID is required.

  id: <my-filestream-id>

  

  # Change to true to enable this input configuration.

  enabled: true

  

  # Paths that should be crawled and fetched. Glob based paths.

  paths:

    - </path/to/log/file*>

  

  # Set the event_source_product field to bind_dns

  fields:

     event_source_product: bind_dns

  fields_under_root: true

  

# ------------------------------ Logstash Output -------------------------------

output.logstash:

  # The Logstash hosts

  hosts: ["<your_graylog_ip>:5044"]

Stream Configuration

This technology pack includes one stream:

"Illuminate: BIND DNS Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

"BIND DNS Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Configuration

Here is how to set up your BIND log configuration:

  1. Back up your configuration.

  2. Configure your BIND instance logging to which you will save query logs:

    /var/log/named/query.log.

  3. Save query error logs to:

    /var/log/named/query-errors.log.

The following is a sample BIND logging configuration section that can be added to your BIND configuration. Please verify that this logging configuration works in your environment. Make adjustments as necessary.

Copy
logging {

        channel named           { file "/var/log/named/named.log"        versions 10 size 20M; severity info;  print-time iso8601-utc; print-category yes; print-severity yes;};

        channel security        { file "/var/log/named/security.log"     versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };

        channel dnssec          { file "/var/log/named/dnssec.log"       versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };

        channel resolver        { file "/var/log/named/resolver.log"     versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };

        channel query_log       { file "/var/log/named/query.log"        versions 10 size 80M; severity debug; print-time iso8601-utc; print-severity yes; };

        channel query-error     { file "/var/log/named/query-errors.log" versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };

        channel lame_servers    { file "/var/log/named/lame-servers.log" versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };

        channel capacity        { file "/var/log/named/capacity.log"     versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };

        channel rpz             { file "/var/log/named/rpz.log"          versions 10 size 20M; severity info;  print-time iso8601-utc; print-severity yes; };



        category default        { default_syslog;  named; };

        category general        { default_syslog;  named; };

        category security       { security; };

        category queries        { query_log; };

        category lame-servers   { lame_servers;};

        category dnssec         { dnssec; };

        category edns-disabled  { default_syslog; };

        category config         { default_syslog; named; };

        category resolver       { resolver; };

        category edns-disabled  { resolver; };

        category cname          { resolver; };

        category serve-stale    { resolver; };

        category spill          { capacity; };

        category rate-limit     { capacity; };

        category database       { capacity; };

        category client         { default_syslog; named; };

        category network        { default_syslog; named; };

        // category dnstap         { dnstap;};

        category unmatched      { named; };

        category network        { named; };

        category delegation-only { named;};

        category dispatch       { named; };

        category trust-anchor-telemetry { named; };

        category rpz            { rpz;};

};

For BIND logging configuration basic recommendations, please refer to the ISC documentation.

Below is a sample log configuration for BIND. Please note that this is not a complete configuration and that adjustments should be made based on your environment.

The examples provided below use the path and file /var/log/named/queries and /var/log/named/query-errors.

Our examples were taken from the example in the basic recommendations with the following changes:

- change print-time yes; to print-time iso8601-utc;

Copy
 - example config components (not a complete logging configuration for BIND!):

      channel queries_log {

          file "/var/log/named/queries" versions 600 size 20m;

          print-time iso8601-utc;

          print-category yes;

          print-severity yes;

          severity info;

     };

     channel query-errors_log {

          file "/var/log/named/query-errors" versions 5 size 20m;

          print-time iso8601-utc;

          print-category yes;

          print-severity yes;

          severity dynamic;

     };

     category query-errors {query-errors_log; };

     category queries { queries_log; };